eternity | 0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2

General

Target

1ecb28739a126df4e3a34516a624daad.exe
Size

1.3MB
MD5

1ecb28739a126df4e3a34516a624daad
SHA1

e5412bb9cbb9b3569f80a66d6e6eb835787fd06f
SHA256

0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2
SHA512

4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874
SSDEEP

24576:rajkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:mIHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://91.218.183.96/test/WZHF.exe
http://91.218.183.96/test/Stealer.exe, http://91.218.183.96/test/Miner.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

1ecb28739a126df4e3a34516a624daad.exe1ecb28739a126df4e3a34516a624daad.exe

pid process

4280 1ecb28739a126df4e3a34516a624daad.exe
5044 1ecb28739a126df4e3a34516a624daad.exe

pid	process
4280	1ecb28739a126df4e3a34516a624daad.exe
5044	1ecb28739a126df4e3a34516a624daad.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1ecb28739a126df4e3a34516a624daad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1ecb28739a126df4e3a34516a624daad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4188 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3336 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1ecb28739a126df4e3a34516a624daad.exe

description pid process

Token: SeDebugPrivilege 4280 1ecb28739a126df4e3a34516a624daad.exe

pid	process
4188	schtasks.exe

pid	process
3336	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4280	1ecb28739a126df4e3a34516a624daad.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1ecb28739a126df4e3a34516a624daad.execmd.exe

description	pid	process	target process
PID 996 wrote to memory of 3612	996	1ecb28739a126df4e3a34516a624daad.exe	cmd.exe
PID 996 wrote to memory of 3612	996	1ecb28739a126df4e3a34516a624daad.exe	cmd.exe
PID 996 wrote to memory of 3612	996	1ecb28739a126df4e3a34516a624daad.exe	cmd.exe
PID 3612 wrote to memory of 3188	3612	cmd.exe	chcp.com
PID 3612 wrote to memory of 3188	3612	cmd.exe	chcp.com
PID 3612 wrote to memory of 3188	3612	cmd.exe	chcp.com
PID 3612 wrote to memory of 3336	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 3336	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 3336	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 4188	3612	cmd.exe	schtasks.exe
PID 3612 wrote to memory of 4188	3612	cmd.exe	schtasks.exe
PID 3612 wrote to memory of 4188	3612	cmd.exe	schtasks.exe
PID 3612 wrote to memory of 4280	3612	cmd.exe	1ecb28739a126df4e3a34516a624daad.exe
PID 3612 wrote to memory of 4280	3612	cmd.exe	1ecb28739a126df4e3a34516a624daad.exe
PID 3612 wrote to memory of 4280	3612	cmd.exe	1ecb28739a126df4e3a34516a624daad.exe

C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe
"C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1ecb28739a126df4e3a34516a624daad.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3188

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "1ecb28739a126df4e3a34516a624daad" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4188

C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
"C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
1⤵
- Executes dropped EXE
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1ecb28739a126df4e3a34516a624daad.exe.log
Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
Filesize
1.3MB

MD5
1ecb28739a126df4e3a34516a624daad

SHA1
e5412bb9cbb9b3569f80a66d6e6eb835787fd06f

SHA256
0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2

SHA512
4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
Filesize
1.3MB

MD5
1ecb28739a126df4e3a34516a624daad

SHA1
e5412bb9cbb9b3569f80a66d6e6eb835787fd06f

SHA256
0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2

SHA512
4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\1ecb28739a126df4e3a34516a624daad.exe
Filesize
1.3MB

MD5
1ecb28739a126df4e3a34516a624daad

SHA1
e5412bb9cbb9b3569f80a66d6e6eb835787fd06f

SHA256
0cf7bb3681f56dc82e6b1d2ad54ca526fcd6850c02476968e53020ee65a8f9d2

SHA512
4bb7432d40cafbd082d0bb724d04b216b134e76fde4da9722534e709abb40aaa1d258e94fa8e97b003d99fac584ba00e613e982f8b58016401a745e671766874

Download Submit
memory/996-132-0x0000000000C60000-0x0000000000DB2000-memory.dmp

Filesize
1.3MB

Download
memory/996-133-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/3188-135-0x0000000000000000-mapping.dmp

Download
memory/3336-136-0x0000000000000000-mapping.dmp

Download
memory/3612-134-0x0000000000000000-mapping.dmp

Download
memory/4188-137-0x0000000000000000-mapping.dmp

Download
memory/4280-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads