eternity | 6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81

Analysis

max time kernel
144s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
30-11-2022 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exe
Size

1.8MB
MD5

44effc7911d5d30eee8046847b5e51a0
SHA1

9f056d46778af4c12965b6da6adf7e8bd4c1e801
SHA256

6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81
SHA512

f929769ba14b0564a8f5ad8d9604d8d9106233e459ab4556cfa22d9d2257318b84dc4a1854401e410b65ef612bca8de36830736f14bcb5a2940d3f492126e575
SSDEEP

49152:IBJ5w3gdZHOAWxTAwslyNIlS7PFO9KP142cgXWef:yw38R5pY0EQx2hGk

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

wrmuac.exeSkype.exe

pid process

2784 wrmuac.exe
1356 Skype.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Skype.exe

description pid process target process

PID 1356 set thread context of 2760 1356 Skype.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4676 2760 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4236 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wrmuac.exeSkype.exe

description pid process

Token: SeDebugPrivilege 2784 wrmuac.exe
Token: SeDebugPrivilege 1356 Skype.exe

pid	process
2784	wrmuac.exe
1356	Skype.exe

description	pid	process	target process
PID 1356 set thread context of 2760	1356	Skype.exe	RegAsm.exe

pid	pid_target	process	target process
4676	2760	WerFault.exe	RegAsm.exe

pid	process
4236	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2784	wrmuac.exe
Token: SeDebugPrivilege	1356	Skype.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exeSkype.execmd.exe

description	pid	process	target process
PID 4940 wrote to memory of 2784	4940	6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exe	wrmuac.exe
PID 4940 wrote to memory of 2784	4940	6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exe	wrmuac.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 2760	1356	Skype.exe	RegAsm.exe
PID 1356 wrote to memory of 752	1356	Skype.exe	cmd.exe
PID 1356 wrote to memory of 752	1356	Skype.exe	cmd.exe
PID 1356 wrote to memory of 808	1356	Skype.exe	cmd.exe
PID 1356 wrote to memory of 808	1356	Skype.exe	cmd.exe
PID 1356 wrote to memory of 4248	1356	Skype.exe	cmd.exe
PID 1356 wrote to memory of 4248	1356	Skype.exe	cmd.exe
PID 808 wrote to memory of 4236	808	cmd.exe	schtasks.exe
PID 808 wrote to memory of 4236	808	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exe
"C:\Users\Admin\AppData\Local\Temp\6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
"C:\Users\Admin\AppData\Local\Temp\wrmuac.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\Skype.exe
C:\Users\Admin\AppData\Local\Temp\Skype.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 952
3⤵
- Program crash
PID:4676

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\maxaudios"
2⤵
PID:752

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Skype.exe" "C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe"
2⤵
PID:4248

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Skype.exe
Filesize
146.4MB

MD5
9d455492111f37a42c0b8b821f9f4cb1

SHA1
b262abf6a884a05d09b5ec8c8fd51d94fc322c63

SHA256
8de9015f6ec82985ae57afb437be550adeb33dbb23843245cccb5eb11b492116

SHA512
d82031bc7087a091ceba65846ab2f2239f164a18c1d6a5aeedacdbb0926209af2ff5bb0b88bfcf600349ddcfb99982a4ebaa88905d9c84dc68f03ad39dea8905

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype.exe
Filesize
146.9MB

MD5
a9a53e53d9891d52490e05dc8b78d361

SHA1
a6fc5e90dcf88316425fdec1f647c7a856e8df58

SHA256
99750eb17fac5f0605f69a9f0fa3547ce7236b1c81bbbd3691c955c0cb36a944

SHA512
a96db5a3db9c6fdfd44478746dd80f90eec189cf5c241ec9017c9f4efbba9c1c235f230b14423614bad551c53fef76998fa2e4d9d1572b5ed274d8efd910ce05

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
Filesize
360.6MB

MD5
a84b00805383ccdc37452caf440edd58

SHA1
d00fb4d5d544c7f008bfb34390051657e2c8519f

SHA256
9392cf95f8e8e09a7ace5d9ca5fa684da8525ab8da8ec9d48b17b7f8c8711078

SHA512
534a9dee0accf1e9ba61c75cc17d034fbc2ab4cac01c23de62c0b489733f313de69063c76d07a49464f280713c092fe1a70f0d20a7499ff9506e37f2c12bf982

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
Filesize
379.2MB

MD5
b352e5494cadc1b9e08bcd3575c314ce

SHA1
bf1c24b95fdafcd24260ccbfaa5cffe80853b966

SHA256
c2f33cf2fdc8c376b17538bc034c387ef2ac6f6f456844719404ab040ec4cd0a

SHA512
373e01cd987b1bfcaf0b8425e078948bde8a65901c3f23cf723e4c3c3fd50883a1569c7c506a668bbf5632da9329bfa04b3a2f072504423b740a7446a334ee01

Download Submit
memory/752-197-0x0000000000000000-mapping.dmp

Download
memory/808-198-0x0000000000000000-mapping.dmp

Download
memory/1356-194-0x000000003F870000-0x000000003F9E2000-memory.dmp

Filesize
1.4MB

Download
memory/2760-249-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2760-252-0x0000000005580000-0x0000000005A7E000-memory.dmp

Filesize
5.0MB

Download
memory/2760-196-0x000000000054C05E-mapping.dmp

Download
memory/2784-191-0x0000000000960000-0x0000000001960000-memory.dmp

Filesize
16.0MB

Download
memory/2784-187-0x0000000000000000-mapping.dmp

Download
memory/4236-207-0x0000000000000000-mapping.dmp

Download
memory/4248-199-0x0000000000000000-mapping.dmp

Download
memory/4940-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-165-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-167-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-168-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-175-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download