eternity | 6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81

General

Target

tmp.exe
Size

1.8MB
MD5

44effc7911d5d30eee8046847b5e51a0
SHA1

9f056d46778af4c12965b6da6adf7e8bd4c1e801
SHA256

6d46c2fe42b53385f98f417e5e79b56ee12a3153ad7304a334bc2b4541d84e81
SHA512

f929769ba14b0564a8f5ad8d9604d8d9106233e459ab4556cfa22d9d2257318b84dc4a1854401e410b65ef612bca8de36830736f14bcb5a2940d3f492126e575
SSDEEP

49152:IBJ5w3gdZHOAWxTAwslyNIlS7PFO9KP142cgXWef:yw38R5pY0EQx2hGk

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

wrmuac.exeSkype.exe

pid process

4332 wrmuac.exe
3748 Skype.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Skype.exe

description pid process target process

PID 3748 set thread context of 4704 3748 Skype.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4896 4704 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2420 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wrmuac.exeSkype.exe

description pid process

Token: SeDebugPrivilege 4332 wrmuac.exe
Token: SeDebugPrivilege 3748 Skype.exe

pid	process
4332	wrmuac.exe
3748	Skype.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp.exe

description	pid	process	target process
PID 3748 set thread context of 4704	3748	Skype.exe	RegAsm.exe

pid	pid_target	process	target process
4896	4704	WerFault.exe	RegAsm.exe

pid	process
2420	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4332	wrmuac.exe
Token: SeDebugPrivilege	3748	Skype.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exeSkype.execmd.exe

description	pid	process	target process
PID 2960 wrote to memory of 4332	2960	tmp.exe	wrmuac.exe
PID 2960 wrote to memory of 4332	2960	tmp.exe	wrmuac.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4704	3748	Skype.exe	RegAsm.exe
PID 3748 wrote to memory of 4580	3748	Skype.exe	cmd.exe
PID 3748 wrote to memory of 4580	3748	Skype.exe	cmd.exe
PID 3748 wrote to memory of 4720	3748	Skype.exe	cmd.exe
PID 3748 wrote to memory of 4720	3748	Skype.exe	cmd.exe
PID 3748 wrote to memory of 3064	3748	Skype.exe	cmd.exe
PID 3748 wrote to memory of 3064	3748	Skype.exe	cmd.exe
PID 4720 wrote to memory of 2420	4720	cmd.exe	schtasks.exe
PID 4720 wrote to memory of 2420	4720	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
"C:\Users\Admin\AppData\Local\Temp\wrmuac.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Temp\Skype.exe
C:\Users\Admin\AppData\Local\Temp\Skype.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 976
3⤵
- Program crash
PID:4896

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\maxaudios"
2⤵
PID:4580

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Skype.exe" "C:\Users\Admin\AppData\Roaming\maxaudios\maxaudios.exe"
2⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4704 -ip 4704
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Skype.exe
Filesize
351.9MB

MD5
348a1648bc820cb9ba555a15c389db1e

SHA1
8f4b62278e7bbb108e0f30aab3a353f0ec580313

SHA256
a0490f3ddd866066089b308d892d3a8de67b86e6cd82c0babd55efd13e345a5b

SHA512
f379d54c93aa731714d7926fe6c5809be4abecb71b74e78e1213934ecaf51618f2d40159930d08f3dd71544257d3e2ef6916614762ec8945019ca72effc23606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skype.exe
Filesize
348.4MB

MD5
d5581cdfe2285028b8a1e80ccc1964fe

SHA1
05c7fdafe69439c07d53dfc4bbadc493d394c8c3

SHA256
669d332bd79cfe3a24d4546d5670d3161ef485c308ca9af49040307bfccdf3f5

SHA512
17534f55d1282fea90519b8e03fc6a5f7df103719687bbfb1a29234196ce0b2e81823395d85e2320fc9d30835b5a065b7f4780943e482b22460b4b624c68e215

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
Filesize
428.0MB

MD5
1f1b30093f17dbc1f3c714d89fc48da5

SHA1
782b87546c0cc7f0bddcdd41f8150abb493a60ca

SHA256
2f357985579518723811e3a09a20d78fa7fcf8af6eb733750a55bddf0d071622

SHA512
2891a03bb24eeb769f9042d77cad28074f5804c5a323d10606d451d6158c1d2c7315bace0008da849c1bcde9abd5c8168a3680122a79fde2712daa23bd27091b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrmuac.exe
Filesize
426.8MB

MD5
38ea8d9508d7dc196142c40a1ef2e305

SHA1
2efc6fc2001e9416afbadbcec1b194ba6bf4ec98

SHA256
98a6e23dda0bfcf165ed421ac6b92a107b992a36292f7dcca84808649581804a

SHA512
111c3b77b52a31003766c237f17e038216216bb048b0b156926642f6fbc5510828c29e56a686a2f49c5c69fe24faf0e9cfffb660fc8d5ce6207a3aed2887515f

Download Submit
memory/2420-148-0x0000000000000000-mapping.dmp

Download
memory/3064-147-0x0000000000000000-mapping.dmp

Download
memory/3748-141-0x00007FF82D760000-0x00007FF82E221000-memory.dmp

Filesize
10.8MB

Download
memory/3748-142-0x00007FF82D760000-0x00007FF82E221000-memory.dmp

Filesize
10.8MB

Download
memory/4332-139-0x00007FF82D760000-0x00007FF82E221000-memory.dmp

Filesize
10.8MB

Download
memory/4332-132-0x0000000000000000-mapping.dmp

Download
memory/4332-137-0x00007FF82D760000-0x00007FF82E221000-memory.dmp

Filesize
10.8MB

Download
memory/4332-136-0x0000000000510000-0x0000000001510000-memory.dmp

Filesize
16.0MB

Download
memory/4332-135-0x00007FF82D760000-0x00007FF82E221000-memory.dmp

Filesize
10.8MB

Download
memory/4580-145-0x0000000000000000-mapping.dmp

Download
memory/4704-144-0x000000000054C05E-mapping.dmp

Download
memory/4704-143-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4704-149-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/4720-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads