eternity | 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951

General

Target

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Size

1.3MB
MD5

17f511ac04c38cc724a32db5ee6396df
SHA1

989d1cb5f7e47a84c375b7413928d7ab73e24ff5
SHA256

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951
SHA512

3f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317
SSDEEP

24576:sEkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxYq:sZHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

Processes:

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

pid	process
4824	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
4564	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1332 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

description pid process

Token: SeDebugPrivilege 4824 08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

pid	process
964	schtasks.exe

pid	process
1332	PING.EXE

description	pid	process
Token: SeDebugPrivilege	4824	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.execmd.exe

description	pid	process	target process
PID 2168 wrote to memory of 1164	2168	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe	cmd.exe
PID 2168 wrote to memory of 1164	2168	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe	cmd.exe
PID 2168 wrote to memory of 1164	2168	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe	cmd.exe
PID 1164 wrote to memory of 900	1164	cmd.exe	chcp.com
PID 1164 wrote to memory of 900	1164	cmd.exe	chcp.com
PID 1164 wrote to memory of 900	1164	cmd.exe	chcp.com
PID 1164 wrote to memory of 1332	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 1332	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 1332	1164	cmd.exe	PING.EXE
PID 1164 wrote to memory of 964	1164	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 964	1164	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 964	1164	cmd.exe	schtasks.exe
PID 1164 wrote to memory of 4824	1164	cmd.exe	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
PID 1164 wrote to memory of 4824	1164	cmd.exe	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
PID 1164 wrote to memory of 4824	1164	cmd.exe	08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe

C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
"C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:900

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1332

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:964

C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
"C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
1⤵
- Executes dropped EXE
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe.log
Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Filesize
1.3MB

MD5
17f511ac04c38cc724a32db5ee6396df

SHA1
989d1cb5f7e47a84c375b7413928d7ab73e24ff5

SHA256
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951

SHA512
3f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Filesize
1.3MB

MD5
17f511ac04c38cc724a32db5ee6396df

SHA1
989d1cb5f7e47a84c375b7413928d7ab73e24ff5

SHA256
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951

SHA512
3f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951.exe
Filesize
1.3MB

MD5
17f511ac04c38cc724a32db5ee6396df

SHA1
989d1cb5f7e47a84c375b7413928d7ab73e24ff5

SHA256
08fef20cc97d6ab3a9dfa6da0cf804168fa862b6f1fcae7616d8dc8c75da9951

SHA512
3f681c60582c0bdd7efc198063ad9a5bf5e685dede586ab067272cffdfced628af7075bec907353dbec9a5ae5d30b7382f91e9b68325ff5c2c67325db9584317

Download Submit
memory/900-135-0x0000000000000000-mapping.dmp

Download
memory/964-137-0x0000000000000000-mapping.dmp

Download
memory/1164-134-0x0000000000000000-mapping.dmp

Download
memory/1332-136-0x0000000000000000-mapping.dmp

Download
memory/2168-132-0x0000000000960000-0x0000000000AB2000-memory.dmp

Filesize
1.3MB

Download
memory/2168-133-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4824-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads