eternity | ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

General

Target

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Size

1.7MB
MD5

ce3c2e93978895a4195d6c094f40da7b
SHA1

0efb66a4f8abd84654e1bace4644f72af2e06d65
SHA256

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288
SHA512

32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e
SSDEEP

24576:YIK4j/Sb6n6cFx0PNiAoGUMkGKwa92XbbNHJmNVhpvZlWW2cdXp14i8W2heqO:rI66TU0C2XvN4NVTqW2y+

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 4 IoCs

Processes:

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

pid	process
1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
800	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
3544	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

description	pid	process	target process
PID 3772 set thread context of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 set thread context of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 set thread context of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4980 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3456 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

description pid process

Token: SeDebugPrivilege 800 ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

pid	process
4980	schtasks.exe

pid	process
3456	PING.EXE

description	pid	process
Token: SeDebugPrivilege	800	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execmd.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.execa1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

C:\Users\Admin\AppData\Local\Temp\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
"C:\Users\Admin\AppData\Local\Temp\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
"C:\Users\Admin\AppData\Local\Temp\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4980

C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
"C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
"C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
"C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe"
2⤵
- Executes dropped EXE
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe.log
Filesize
805B

MD5
4b74e933d78bd5e8fb1cc4653fb2133c

SHA1
f6e931eec700fa325bd40c3adc6f1c0eba806066

SHA256
fd99bed17853f5ad196ca6d4a62f5e2405fbdf5b98cbf45af8b7cef83e4bcec3

SHA512
b56ff89eff1a757a87dcb875206ae92d39ffdb5adf638600c21bc7c76ff4cc25502ae1060716488c7ed1641f8cdfad2a320443b7b4d9f09808eb86eb87f351ec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Filesize
1.7MB

MD5
ce3c2e93978895a4195d6c094f40da7b

SHA1
0efb66a4f8abd84654e1bace4644f72af2e06d65

SHA256
ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

SHA512
32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Filesize
1.7MB

MD5
ce3c2e93978895a4195d6c094f40da7b

SHA1
0efb66a4f8abd84654e1bace4644f72af2e06d65

SHA256
ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

SHA512
32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Filesize
1.7MB

MD5
ce3c2e93978895a4195d6c094f40da7b

SHA1
0efb66a4f8abd84654e1bace4644f72af2e06d65

SHA256
ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

SHA512
32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Filesize
1.7MB

MD5
ce3c2e93978895a4195d6c094f40da7b

SHA1
0efb66a4f8abd84654e1bace4644f72af2e06d65

SHA256
ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

SHA512
32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
Filesize
1.7MB

MD5
ce3c2e93978895a4195d6c094f40da7b

SHA1
0efb66a4f8abd84654e1bace4644f72af2e06d65

SHA256
ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288

SHA512
32056d7f7b8230e2e7c55e89a5c852ddb96b853bb9d180661dcba99f9f53e23e9fb1a7909e07f247fe9116b3ab9f84b5b0f5cb0626236bc51ced9c49923d731e

Download Submit
memory/800-146-0x0000000000000000-mapping.dmp

Download
memory/1776-143-0x0000000000000000-mapping.dmp

Download
memory/2768-139-0x0000000000000000-mapping.dmp

Download
memory/3156-140-0x0000000000000000-mapping.dmp

Download
memory/3456-141-0x0000000000000000-mapping.dmp

Download
memory/3544-150-0x0000000000000000-mapping.dmp

Download
memory/3772-132-0x00000000002A0000-0x0000000000462000-memory.dmp

Filesize
1.8MB

Download
memory/3772-133-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/3772-134-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/4316-135-0x0000000000000000-mapping.dmp

Download
memory/4316-138-0x0000000000610000-0x0000000000762000-memory.dmp

Filesize
1.3MB

Download
memory/4980-142-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 3772 wrote to memory of 4316	3772	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4316 wrote to memory of 2768	4316	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	cmd.exe
PID 4316 wrote to memory of 2768	4316	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	cmd.exe
PID 4316 wrote to memory of 2768	4316	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	cmd.exe
PID 2768 wrote to memory of 3156	2768	cmd.exe	chcp.com
PID 2768 wrote to memory of 3156	2768	cmd.exe	chcp.com
PID 2768 wrote to memory of 3156	2768	cmd.exe	chcp.com
PID 2768 wrote to memory of 3456	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 3456	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 3456	2768	cmd.exe	PING.EXE
PID 2768 wrote to memory of 4980	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 4980	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 4980	2768	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 1776	2768	cmd.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 2768 wrote to memory of 1776	2768	cmd.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 2768 wrote to memory of 1776	2768	cmd.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 1776 wrote to memory of 800	1776	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe
PID 4064 wrote to memory of 3544	4064	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe	ca1a716191a8f670286367f8344bee6d9506720eb4b6c7485bf1477c93536288.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads