eternity | d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

General

Target

Ransomware.exe
Size

112KB
MD5

3e639bb5f41c23fddca94836c44b88a6
SHA1

799699566b60733bfc9429b63d63d6bff1d3225a
SHA256

d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7
SHA512

e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42
SSDEEP

3072:aJl5QviHOEB8+Azr2/od+Kb3upxjrGoZji:az5uiHO0F/oMKb+pdrGoZ

Score

10^/10

eternity evasion ransomware

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Ransomware.exeRansomware.exe

pid process

4688 Ransomware.exe
2800 Ransomware.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

Ransomware.exe

description ioc process

File renamed C:\Users\Admin\Pictures\SaveAssert.png => C:\Users\Admin\Pictures\SaveAssert.png.ecrp Ransomware.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SaveAssert.png => C:\Users\Admin\Pictures\SaveAssert.png.ecrp	Ransomware.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ransomware.exeRansomware.exeRansomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Ransomware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Ransomware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Ransomware.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Ransomware.exeRansomware.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Ransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

744 schtasks.exe

pid	process
744	schtasks.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

Ransomware.exeRansomware.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\TileWallpaper = "0"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperStyle = "10"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\TileWallpaper = "0"	Ransomware.exe

Modifies registry class 6 IoCs

Processes:

Ransomware.exeRansomware.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1"	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\.ecrp\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\ServiceHub\\Ransomware.exe %1"	Ransomware.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1052 PING.EXE

pid	process
1052	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ransomware.exeRansomware.exe

pid	process
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
4688	Ransomware.exe
2800	Ransomware.exe
4688	Ransomware.exe
2800	Ransomware.exe
4688	Ransomware.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Ransomware.exevssvc.exeRansomware.exe

description	pid	process
Token: SeDebugPrivilege	4688	Ransomware.exe
Token: SeBackupPrivilege	4816	vssvc.exe
Token: SeRestorePrivilege	4816	vssvc.exe
Token: SeAuditPrivilege	4816	vssvc.exe
Token: SeDebugPrivilege	2800	Ransomware.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Ransomware.execmd.exeRansomware.execmd.exeRansomware.execmd.exe

description	pid	process	target process
PID 4204 wrote to memory of 3628	4204	Ransomware.exe	cmd.exe
PID 4204 wrote to memory of 3628	4204	Ransomware.exe	cmd.exe
PID 4204 wrote to memory of 3628	4204	Ransomware.exe	cmd.exe
PID 3628 wrote to memory of 4448	3628	cmd.exe	chcp.com
PID 3628 wrote to memory of 4448	3628	cmd.exe	chcp.com
PID 3628 wrote to memory of 4448	3628	cmd.exe	chcp.com
PID 3628 wrote to memory of 1052	3628	cmd.exe	PING.EXE
PID 3628 wrote to memory of 1052	3628	cmd.exe	PING.EXE
PID 3628 wrote to memory of 1052	3628	cmd.exe	PING.EXE
PID 3628 wrote to memory of 744	3628	cmd.exe	schtasks.exe
PID 3628 wrote to memory of 744	3628	cmd.exe	schtasks.exe
PID 3628 wrote to memory of 744	3628	cmd.exe	schtasks.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	Ransomware.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	Ransomware.exe
PID 3628 wrote to memory of 4688	3628	cmd.exe	Ransomware.exe
PID 4688 wrote to memory of 3760	4688	Ransomware.exe	cmd.exe
PID 4688 wrote to memory of 3760	4688	Ransomware.exe	cmd.exe
PID 4688 wrote to memory of 3760	4688	Ransomware.exe	cmd.exe
PID 3760 wrote to memory of 556	3760	cmd.exe	chcp.com
PID 3760 wrote to memory of 556	3760	cmd.exe	chcp.com
PID 3760 wrote to memory of 556	3760	cmd.exe	chcp.com
PID 2800 wrote to memory of 928	2800	Ransomware.exe	cmd.exe
PID 2800 wrote to memory of 928	2800	Ransomware.exe	cmd.exe
PID 2800 wrote to memory of 928	2800	Ransomware.exe	cmd.exe
PID 928 wrote to memory of 3476	928	cmd.exe	chcp.com
PID 928 wrote to memory of 3476	928	cmd.exe	chcp.com
PID 928 wrote to memory of 3476	928	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\Ransomware.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4448

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:744

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ransomware.exe.log
Filesize
609B

MD5
d12b2202c8663de63120a7239216f4c9

SHA1
f0263381d735e0d3a029378de06e6c49f386bb4f

SHA256
a1523cbbb1efe7eaed779caf6077a067519945accb1ab61a4c39323fffea6e5d

SHA512
942e728bb334cd3a7c634617c04cc2848124505a7a5b3f3081e5d46334e313b1f6fbf854e94d4f44dd51692c39cd19d239b15de3f0aa443ebd8d60db2868ab80

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
Filesize
112KB

MD5
3e639bb5f41c23fddca94836c44b88a6

SHA1
799699566b60733bfc9429b63d63d6bff1d3225a

SHA256
d0ce047da46b87372013421553ff5313416364cccaf7f614cd1f20b6e6e741e7

SHA512
e4c395cd03d3377fd9cbb19c115496485d7cd62436c0361565bac8485ec33d024959c109a59e646f60f4d9684538ce43c4db3ca8762327847502d6b7222c1d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\wallpaper.bmp
Filesize
675KB

MD5
b420b3cf29ef7e6bb92981c335c3d46e

SHA1
3452295e8c91cad5361bb4242281eeeab35937c0

SHA256
bdad2fb308667a40e3f19347ea99368f75f6a86323575bf458f8683e528099df

SHA512
350a08e54b00713516b751cf3c7931baffd6e308e56843ebd5be35f69bbfcccda15d433e8ec5ab7272baec20801fbc7698d60e5e14d79900a18edfa99c84d28a

Download Submit
memory/556-145-0x0000000000000000-mapping.dmp

Download
memory/744-138-0x0000000000000000-mapping.dmp

Download
memory/928-148-0x0000000000000000-mapping.dmp

Download
memory/1052-137-0x0000000000000000-mapping.dmp

Download
memory/3476-149-0x0000000000000000-mapping.dmp

Download
memory/3628-135-0x0000000000000000-mapping.dmp

Download
memory/3760-144-0x0000000000000000-mapping.dmp

Download
memory/4204-132-0x0000000000AA0000-0x0000000000AC2000-memory.dmp

Filesize
136KB

Download
memory/4204-134-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4204-133-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/4448-136-0x0000000000000000-mapping.dmp

Download
memory/4688-143-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4688-139-0x0000000000000000-mapping.dmp

Download
memory/4688-146-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads