eternity | d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

General

Target

Ransomware.exe
Size

112KB
MD5

3e639bb5f41c23fddca94836c44b88a6
SHA1

799699566b60733bfc9429b63d63d6bff1d3225a
SHA256

d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512

e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
SSDEEP

3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ

Score

10^/10

eternity evasion ransomware

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Ransomware.exeRansomware.exe

pid process

528 Ransomware.exe
1568 Ransomware.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

Ransomware.exe

description ioc process

File renamed C:\Users\Admin\Pictures\ReceiveCompare.png => C:\Users\Admin\Pictures\ReceiveCompare.png.ecrp Ransomware.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1636 vssadmin.exe
912 vssadmin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ReceiveCompare.png => C:\Users\Admin\Pictures\ReceiveCompare.png.ecrp	Ransomware.exe

pid	process
1680	cmd.exe

pid	process
1680	cmd.exe

pid	process
1516	schtasks.exe

pid	process
1636	vssadmin.exe
912	vssadmin.exe

Modifies registry class 6 IoCs

Processes:

Ransomware.exeRansomware.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1"	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell\open\command	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.ecrp\shell	Ransomware.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

332 PING.EXE

pid	process
332	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ransomware.exeRansomware.exe

pid	process
528	Ransomware.exe
528	Ransomware.exe
528	Ransomware.exe
528	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe
1568	Ransomware.exe
528	Ransomware.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Ransomware.exevssvc.exeRansomware.exe

description	pid	process
Token: SeDebugPrivilege	528	Ransomware.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeDebugPrivilege	1568	Ransomware.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Ransomware.execmd.exeRansomware.execmd.exetaskeng.exeRansomware.execmd.exe

description	pid	process	target process
PID 1252 wrote to memory of 1680	1252	Ransomware.exe	cmd.exe
PID 1252 wrote to memory of 1680	1252	Ransomware.exe	cmd.exe
PID 1252 wrote to memory of 1680	1252	Ransomware.exe	cmd.exe
PID 1252 wrote to memory of 1680	1252	Ransomware.exe	cmd.exe
PID 1680 wrote to memory of 1536	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1536	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1536	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 1536	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 332	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 332	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 332	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 332	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 1516	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 1516	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 1516	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 1516	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 528	1680	cmd.exe	Ransomware.exe
PID 1680 wrote to memory of 528	1680	cmd.exe	Ransomware.exe
PID 1680 wrote to memory of 528	1680	cmd.exe	Ransomware.exe
PID 1680 wrote to memory of 528	1680	cmd.exe	Ransomware.exe
PID 528 wrote to memory of 268	528	Ransomware.exe	cmd.exe
PID 528 wrote to memory of 268	528	Ransomware.exe	cmd.exe
PID 528 wrote to memory of 268	528	Ransomware.exe	cmd.exe
PID 528 wrote to memory of 268	528	Ransomware.exe	cmd.exe
PID 268 wrote to memory of 688	268	cmd.exe	chcp.com
PID 268 wrote to memory of 688	268	cmd.exe	chcp.com
PID 268 wrote to memory of 688	268	cmd.exe	chcp.com
PID 268 wrote to memory of 688	268	cmd.exe	chcp.com
PID 268 wrote to memory of 1636	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 1636	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 1636	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 1636	268	cmd.exe	vssadmin.exe
PID 1524 wrote to memory of 1568	1524	taskeng.exe	Ransomware.exe
PID 1524 wrote to memory of 1568	1524	taskeng.exe	Ransomware.exe
PID 1524 wrote to memory of 1568	1524	taskeng.exe	Ransomware.exe
PID 1524 wrote to memory of 1568	1524	taskeng.exe	Ransomware.exe
PID 1568 wrote to memory of 1428	1568	Ransomware.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	Ransomware.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	Ransomware.exe	cmd.exe
PID 1568 wrote to memory of 1428	1568	Ransomware.exe	cmd.exe
PID 1428 wrote to memory of 1172	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 1172	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 1172	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 1172	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 912	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 912	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 912	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 912	1428	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:332

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1516

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:688

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {C6CC2ADC-00C3-4B77-868F-CD5227B0BFC1} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1172

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
memory/268-66-0x0000000000000000-mapping.dmp

Download
memory/332-58-0x0000000000000000-mapping.dmp

Download
memory/528-64-0x0000000000810000-0x0000000000832000-memory.dmp

Filesize
136KB

Download
memory/528-62-0x0000000000000000-mapping.dmp

Download
memory/528-75-0x0000000005AA6000-0x0000000005AB7000-memory.dmp

Filesize
68KB

Download
memory/688-67-0x0000000000000000-mapping.dmp

Download
memory/912-74-0x0000000000000000-mapping.dmp

Download
memory/1172-73-0x0000000000000000-mapping.dmp

Download
memory/1252-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1252-54-0x0000000000B70000-0x0000000000B92000-memory.dmp

Filesize
136KB

Download
memory/1428-72-0x0000000000000000-mapping.dmp

Download
memory/1516-59-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/1568-69-0x0000000000000000-mapping.dmp

Download
memory/1568-76-0x0000000005CE6000-0x0000000005CF7000-memory.dmp

Filesize
68KB

Download
memory/1636-68-0x0000000000000000-mapping.dmp

Download
memory/1680-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads