eternity | 67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea

Analysis

max time kernel
152s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219c1d87426d8ed8b3e62176d1291f80.exe
Size

8.9MB
MD5

219c1d87426d8ed8b3e62176d1291f80
SHA1

105af4d6ca9510c99657145ff0ebf4db71238a32
SHA256

67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
SHA512

0bcfb390bd234bd313ea4335faae2011e297f7d9012b14457a011c883b171b99c08e8c43a6f4502ea260a2138521c006e0e78365cbcfb74cb7a417e8e9b56dd6
SSDEEP

196608:FquoUUOSW7GeGIr1reEs+sqgwC1UODDjai0fyxrAWk:00EkbGIrZbbsPUODZY

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 6 IoCs

Processes:

Catalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exe

pid process

1520 Catalogo2019.exe
664 Catalogo2019.exe
1272 Catalogo2019.exe
1116 Catalogo2019.exe
1672 Catalogo2019.exe
1644 Catalogo2019.exe
Loads dropped DLL 3 IoCs

Processes:

219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.execmd.exe

pid process

1256 219c1d87426d8ed8b3e62176d1291f80.exe
1520 Catalogo2019.exe
908 cmd.exe

pid	process
1520	Catalogo2019.exe
664	Catalogo2019.exe
1272	Catalogo2019.exe
1116	Catalogo2019.exe
1672	Catalogo2019.exe
1644	Catalogo2019.exe

pid	process
1256	219c1d87426d8ed8b3e62176d1291f80.exe
1520	Catalogo2019.exe
908	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Catalogo2019.exeCatalogo2019.exeCatalogo2019.exe

description	pid	process	target process
PID 1520 set thread context of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1272 set thread context of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1672 set thread context of 1644	1672	Catalogo2019.exe	Catalogo2019.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1668 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1884 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Catalogo2019.exe

description pid process

Token: SeDebugPrivilege 1116 Catalogo2019.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1560 AcroRd32.exe
1560 AcroRd32.exe
1560 AcroRd32.exe
1560 AcroRd32.exe

pid	process
1668	schtasks.exe

pid	process
1884	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1116	Catalogo2019.exe

pid	process
1560	AcroRd32.exe
1560	AcroRd32.exe
1560	AcroRd32.exe
1560	AcroRd32.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.exeCatalogo2019.execmd.exeCatalogo2019.exetaskeng.exeCatalogo2019.exe

description	pid	process	target process
PID 1256 wrote to memory of 1560	1256	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 1256 wrote to memory of 1560	1256	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 1256 wrote to memory of 1560	1256	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 1256 wrote to memory of 1560	1256	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 1256 wrote to memory of 1520	1256	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 1256 wrote to memory of 1520	1256	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 1256 wrote to memory of 1520	1256	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 1256 wrote to memory of 1520	1256	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 1520 wrote to memory of 664	1520	Catalogo2019.exe	Catalogo2019.exe
PID 664 wrote to memory of 908	664	Catalogo2019.exe	cmd.exe
PID 664 wrote to memory of 908	664	Catalogo2019.exe	cmd.exe
PID 664 wrote to memory of 908	664	Catalogo2019.exe	cmd.exe
PID 664 wrote to memory of 908	664	Catalogo2019.exe	cmd.exe
PID 908 wrote to memory of 1288	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1288	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1288	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1288	908	cmd.exe	chcp.com
PID 908 wrote to memory of 1884	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1884	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1884	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1884	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 1668	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1668	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1668	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1668	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1272	908	cmd.exe	Catalogo2019.exe
PID 908 wrote to memory of 1272	908	cmd.exe	Catalogo2019.exe
PID 908 wrote to memory of 1272	908	cmd.exe	Catalogo2019.exe
PID 908 wrote to memory of 1272	908	cmd.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1272 wrote to memory of 1116	1272	Catalogo2019.exe	Catalogo2019.exe
PID 1732 wrote to memory of 1672	1732	taskeng.exe	Catalogo2019.exe
PID 1732 wrote to memory of 1672	1732	taskeng.exe	Catalogo2019.exe
PID 1732 wrote to memory of 1672	1732	taskeng.exe	Catalogo2019.exe
PID 1732 wrote to memory of 1672	1732	taskeng.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe
PID 1672 wrote to memory of 1644	1672	Catalogo2019.exe	Catalogo2019.exe

C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe
"C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
"C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1288

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:1884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1668

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
"{path}"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\taskeng.exe
taskeng.exe {DD0ADCAD-7C08-4CA5-ACE5-320C28838611} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf
Filesize
6.9MB

MD5
860c783b07be69a39bcc9ffd3037c26e

SHA1
aecdf16bd194f061a9a61e43e6572e5cc207721c

SHA256
cc61f690953749f79783f8001b7e450709e74d54a13857806bc4bda1603bcb4e

SHA512
f01840127856ae37167de832b67d8361452365d452c58a753a4f9c1692dde44f1b1c6d2f1083e3e9999fc4642e03a08bf6e5c3ade2b3e3a3cf21ca4996b6e3a8

Download Submit
\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
memory/664-75-0x000000000054C73E-mapping.dmp

Download
memory/664-80-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-70-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-72-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-74-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-73-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-78-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/664-69-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/908-82-0x0000000000000000-mapping.dmp

Download
memory/1116-98-0x000000000054C73E-mapping.dmp

Download
memory/1116-101-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1116-103-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1256-54-0x00000000002C0000-0x0000000000BB0000-memory.dmp

Filesize
8.9MB

Download
memory/1256-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1272-90-0x0000000000AA0000-0x0000000000C7E000-memory.dmp

Filesize
1.9MB

Download
memory/1272-88-0x0000000000000000-mapping.dmp

Download
memory/1288-83-0x0000000000000000-mapping.dmp

Download
memory/1520-67-0x000000000BC10000-0x000000000BD62000-memory.dmp

Filesize
1.3MB

Download
memory/1520-62-0x0000000000B00000-0x0000000000CDE000-memory.dmp

Filesize
1.9MB

Download
memory/1520-65-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1520-66-0x0000000008370000-0x0000000008514000-memory.dmp

Filesize
1.6MB

Download
memory/1520-59-0x0000000000000000-mapping.dmp

Download
memory/1560-56-0x0000000000000000-mapping.dmp

Download
memory/1644-114-0x000000000054C73E-mapping.dmp

Download
memory/1668-85-0x0000000000000000-mapping.dmp

Download
memory/1672-105-0x0000000000000000-mapping.dmp

Download
memory/1884-84-0x0000000000000000-mapping.dmp

Download