eternity | 0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

General

Target

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Size

2.0MB
MD5

beef91ad4f42aceb79f47d23bb4a4960
SHA1

383cf8953efab212fb70209d33c8a64cde1d04b4
SHA256

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664
SHA512

f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34
SSDEEP

49152:EvXknXuMsbfbSp7ibAYXzZJ/7V5vBLdKbtKeOX:EvU+LupnYXtJjFLd0T

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 3 IoCs

Processes:

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

pid	process
536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
1164	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
1264	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1068 cmd.exe

pid	process
1068	cmd.exe

pid	process
1068	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

description	pid	process	target process
PID 864 set thread context of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 set thread context of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

796 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

612 PING.EXE

pid	process
796	schtasks.exe

pid	process
612	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

pid	process
864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

description	pid	process
Token: SeDebugPrivilege	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Token: SeDebugPrivilege	1164	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.execmd.exe0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exetaskeng.exe

description	pid	process	target process
PID 864 wrote to memory of 1656	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1656	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1656	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1656	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 316	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 316	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 316	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 316	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 864 wrote to memory of 1332	864	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1332 wrote to memory of 1068	1332	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	cmd.exe
PID 1332 wrote to memory of 1068	1332	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	cmd.exe
PID 1332 wrote to memory of 1068	1332	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	cmd.exe
PID 1332 wrote to memory of 1068	1332	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	cmd.exe
PID 1068 wrote to memory of 1784	1068	cmd.exe	chcp.com
PID 1068 wrote to memory of 1784	1068	cmd.exe	chcp.com
PID 1068 wrote to memory of 1784	1068	cmd.exe	chcp.com
PID 1068 wrote to memory of 1784	1068	cmd.exe	chcp.com
PID 1068 wrote to memory of 612	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 612	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 612	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 612	1068	cmd.exe	PING.EXE
PID 1068 wrote to memory of 796	1068	cmd.exe	schtasks.exe
PID 1068 wrote to memory of 796	1068	cmd.exe	schtasks.exe
PID 1068 wrote to memory of 796	1068	cmd.exe	schtasks.exe
PID 1068 wrote to memory of 796	1068	cmd.exe	schtasks.exe
PID 1068 wrote to memory of 536	1068	cmd.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1068 wrote to memory of 536	1068	cmd.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1068 wrote to memory of 536	1068	cmd.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1068 wrote to memory of 536	1068	cmd.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 536 wrote to memory of 1164	536	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1536 wrote to memory of 1264	1536	taskeng.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1536 wrote to memory of 1264	1536	taskeng.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1536 wrote to memory of 1264	1536	taskeng.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
PID 1536 wrote to memory of 1264	1536	taskeng.exe	0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe

C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"{path}"
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"{path}"
2⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe"
3⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1784

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:796

C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
"{path}"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\taskeng.exe
taskeng.exe {7A87F41F-20DB-4085-AAC1-A58A30A5D213} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
2⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Filesize
2.0MB

MD5
beef91ad4f42aceb79f47d23bb4a4960

SHA1
383cf8953efab212fb70209d33c8a64cde1d04b4

SHA256
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

SHA512
f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Filesize
2.0MB

MD5
beef91ad4f42aceb79f47d23bb4a4960

SHA1
383cf8953efab212fb70209d33c8a64cde1d04b4

SHA256
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

SHA512
f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Filesize
2.0MB

MD5
beef91ad4f42aceb79f47d23bb4a4960

SHA1
383cf8953efab212fb70209d33c8a64cde1d04b4

SHA256
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

SHA512
f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Filesize
2.0MB

MD5
beef91ad4f42aceb79f47d23bb4a4960

SHA1
383cf8953efab212fb70209d33c8a64cde1d04b4

SHA256
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

SHA512
f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664.exe
Filesize
2.0MB

MD5
beef91ad4f42aceb79f47d23bb4a4960

SHA1
383cf8953efab212fb70209d33c8a64cde1d04b4

SHA256
0eba42728c9697c812859850862f10b66d3cec782fa093ad68b141148a8c9664

SHA512
f68b6a695ed8ba06131a0cf0b727338781f01a45c2c6bc72cae717581017f6ae2239cdfffe2a712da26c15364561ea5ce84dd1e2466047b1ccb8db52e2362f34

Download Submit
memory/536-77-0x0000000000000000-mapping.dmp

Download
memory/536-79-0x0000000001240000-0x0000000001442000-memory.dmp

Filesize
2.0MB

Download
memory/536-81-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/612-73-0x0000000000000000-mapping.dmp

Download
memory/796-74-0x0000000000000000-mapping.dmp

Download
memory/864-58-0x000000000B390000-0x000000000B4E2000-memory.dmp

Filesize
1.3MB

Download
memory/864-57-0x0000000005DC0000-0x0000000005F64000-memory.dmp

Filesize
1.6MB

Download
memory/864-56-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/864-54-0x0000000001230000-0x0000000001432000-memory.dmp

Filesize
2.0MB

Download
memory/864-55-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1068-71-0x0000000000000000-mapping.dmp

Download
memory/1164-91-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1164-88-0x000000000054C73E-mapping.dmp

Download
memory/1164-93-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1264-95-0x0000000000000000-mapping.dmp

Download
memory/1264-98-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/1332-62-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-69-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-67-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-65-0x000000000054C73E-mapping.dmp

Download
memory/1332-64-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-63-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-60-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1332-59-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1784-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads