eternity | d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

Analysis

max time kernel
337s
max time network
391s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware.exe
Size

112KB
MD5

3e639bb5f41c23fddca94836c44b88a6
SHA1

799699566b60733bfc9429b63d63d6bff1d3225a
SHA256

d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512

e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
SSDEEP

3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ransomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Ransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1248 PING.EXE

pid	process
1248	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Ransomware.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 3700	1112	Ransomware.exe	cmd.exe
PID 1112 wrote to memory of 3700	1112	Ransomware.exe	cmd.exe
PID 1112 wrote to memory of 3700	1112	Ransomware.exe	cmd.exe
PID 3700 wrote to memory of 2592	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 2592	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 2592	3700	cmd.exe	chcp.com
PID 3700 wrote to memory of 1248	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 1248	3700	cmd.exe	PING.EXE
PID 3700 wrote to memory of 1248	3700	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-132-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1112-133-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/1112-134-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/1248-137-0x0000000000000000-mapping.dmp

Download
memory/2592-136-0x0000000000000000-mapping.dmp

Download
memory/3700-135-0x0000000000000000-mapping.dmp

Download