eternity | df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

General

Target

Worm.exe
Size

1.3MB
MD5

d16f7b6510caf611ce85f0488ae0a65d
SHA1

e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d
SHA256

df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf
SHA512

7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53
SSDEEP

24576:fgEdnkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:fgEuHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Attributes

payload_urls
http://140.82.34.147/Client.exe
http://140.82.34.147/Client.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Worm.exeWorm.exeWorm.exe

pid process

2380 Worm.exe
4504 Worm.exe
672 Worm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Worm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Worm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2104 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2460 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Worm.exe

description pid process

Token: SeDebugPrivilege 2380 Worm.exe

pid	process
2380	Worm.exe
4504	Worm.exe
672	Worm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Worm.exe

pid	process
2104	schtasks.exe

pid	process
2460	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2380	Worm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Worm.execmd.exe

description	pid	process	target process
PID 3440 wrote to memory of 1780	3440	Worm.exe	cmd.exe
PID 3440 wrote to memory of 1780	3440	Worm.exe	cmd.exe
PID 3440 wrote to memory of 1780	3440	Worm.exe	cmd.exe
PID 1780 wrote to memory of 5088	1780	cmd.exe	chcp.com
PID 1780 wrote to memory of 5088	1780	cmd.exe	chcp.com
PID 1780 wrote to memory of 5088	1780	cmd.exe	chcp.com
PID 1780 wrote to memory of 2460	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 2460	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 2460	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 2104	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 2104	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 2104	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 2380	1780	cmd.exe	Worm.exe
PID 1780 wrote to memory of 2380	1780	cmd.exe	Worm.exe
PID 1780 wrote to memory of 2380	1780	cmd.exe	Worm.exe

C:\Users\Admin\AppData\Local\Temp\Worm.exe
"C:\Users\Admin\AppData\Local\Temp\Worm.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Worm.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:5088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Worm" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2104

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
1⤵
- Executes dropped EXE
PID:672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Worm.exe.log
Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Worm.exe
Filesize
1.3MB

MD5
d16f7b6510caf611ce85f0488ae0a65d

SHA1
e7913e7dcdfc9be3a51bbd67a8e0e807b63bc33d

SHA256
df80fae5ea335a49df56a862dfc87ef1c444f1a9c23d13cc55930b9c527838cf

SHA512
7d623007a1b80a2ec205d579104eca0ce7866501c7773c9298d4bed8790c7acc88a1eaabe5dbfe5b9d78d6934e58a6d88f5262a26316b47a6da74f09dcb79d53

Download Submit
memory/1780-134-0x0000000000000000-mapping.dmp

Download
memory/2104-137-0x0000000000000000-mapping.dmp

Download
memory/2380-138-0x0000000000000000-mapping.dmp

Download
memory/2380-142-0x0000000006760000-0x00000000067B0000-memory.dmp

Filesize
320KB

Download
memory/2380-143-0x0000000006D60000-0x0000000006DF2000-memory.dmp

Filesize
584KB

Download
memory/2460-136-0x0000000000000000-mapping.dmp

Download
memory/3440-132-0x0000000000430000-0x0000000000582000-memory.dmp

Filesize
1.3MB

Download
memory/3440-133-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/5088-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads