eternity | c6a48b2f3fe21c09e04c1ff2b2430d6a051badf0f6d8a049b132c33c75b30097

General

Target

Pathfinder_2.19.3/Config.exe
Size

14KB
MD5

04cd708335c58d2c99ed5b40018fceec
SHA1

3f5ed0d4335d341f1e0bdcfefa1f54eb8287dd91
SHA256

fafd5b585332d98774accec4cb4b723450efa24621d2745e37caef92a6005934
SHA512

adb2ff97b137d66821b409640ccebd4aee2440442d11c1b569ba708d62ce5e3fe80f0a229a79fb90154de71163e8b94a07ea61e323cf13b9725ec421c18262a6
SSDEEP

384:kqpn9O91vTUblKJ1Ad2GYWdmbVYzyPvw/a8dOtZ+C:5FXYtb5Y6

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion

Wallets

46bBrD45kERWemsjD2jEP6LMqRtRaZG2yP7vToprBPwsZ2Zz7TzbheQUjWECtygvwxd7PoXpbqcnmDk3799yhJVvEddyzZv

Attributes

payload_urls
http://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet/shared/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Config.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Config.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Config.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Config.exe

Executes dropped EXE 3 IoCs

pid	Process
5024	Config.exe
1520	Config.exe
400	Config.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4204	5024	WerFault.exe	85
1992	1520	WerFault.exe	95
3548	400	WerFault.exe	98

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4480	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3000	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	Config.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 448	4892	Config.exe	80
PID 4892 wrote to memory of 448	4892	Config.exe	80
PID 4892 wrote to memory of 448	4892	Config.exe	80
PID 448 wrote to memory of 4652	448	cmd.exe	82
PID 448 wrote to memory of 4652	448	cmd.exe	82
PID 448 wrote to memory of 4652	448	cmd.exe	82
PID 448 wrote to memory of 3000	448	cmd.exe	83
PID 448 wrote to memory of 3000	448	cmd.exe	83
PID 448 wrote to memory of 3000	448	cmd.exe	83
PID 448 wrote to memory of 4480	448	cmd.exe	84
PID 448 wrote to memory of 4480	448	cmd.exe	84
PID 448 wrote to memory of 4480	448	cmd.exe	84
PID 448 wrote to memory of 5024	448	cmd.exe	85
PID 448 wrote to memory of 5024	448	cmd.exe	85
PID 448 wrote to memory of 5024	448	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Config.exe
"C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Config.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Config" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Config.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Pathfinder_2.19.3\Config.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Config.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3000
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "Config" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Config.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4480
- - C:\Users\Admin\AppData\Local\ServiceHub\Config.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\Config.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2064
      4⤵
      Program crash
      PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5024 -ip 5024
1⤵
PID:1476

C:\Users\Admin\AppData\Local\ServiceHub\Config.exe
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1612
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1520 -ip 1520
1⤵
PID:432

C:\Users\Admin\AppData\Local\ServiceHub\Config.exe
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1612
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 400 -ip 400
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Config.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe

Filesize
14KB

MD5
04cd708335c58d2c99ed5b40018fceec

SHA1
3f5ed0d4335d341f1e0bdcfefa1f54eb8287dd91

SHA256
fafd5b585332d98774accec4cb4b723450efa24621d2745e37caef92a6005934

SHA512
adb2ff97b137d66821b409640ccebd4aee2440442d11c1b569ba708d62ce5e3fe80f0a229a79fb90154de71163e8b94a07ea61e323cf13b9725ec421c18262a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe

Filesize
14KB

MD5
04cd708335c58d2c99ed5b40018fceec

SHA1
3f5ed0d4335d341f1e0bdcfefa1f54eb8287dd91

SHA256
fafd5b585332d98774accec4cb4b723450efa24621d2745e37caef92a6005934

SHA512
adb2ff97b137d66821b409640ccebd4aee2440442d11c1b569ba708d62ce5e3fe80f0a229a79fb90154de71163e8b94a07ea61e323cf13b9725ec421c18262a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe

Filesize
14KB

MD5
04cd708335c58d2c99ed5b40018fceec

SHA1
3f5ed0d4335d341f1e0bdcfefa1f54eb8287dd91

SHA256
fafd5b585332d98774accec4cb4b723450efa24621d2745e37caef92a6005934

SHA512
adb2ff97b137d66821b409640ccebd4aee2440442d11c1b569ba708d62ce5e3fe80f0a229a79fb90154de71163e8b94a07ea61e323cf13b9725ec421c18262a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Config.exe

Filesize
14KB

MD5
04cd708335c58d2c99ed5b40018fceec

SHA1
3f5ed0d4335d341f1e0bdcfefa1f54eb8287dd91

SHA256
fafd5b585332d98774accec4cb4b723450efa24621d2745e37caef92a6005934

SHA512
adb2ff97b137d66821b409640ccebd4aee2440442d11c1b569ba708d62ce5e3fe80f0a229a79fb90154de71163e8b94a07ea61e323cf13b9725ec421c18262a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_WIJBFSKT.exe

Filesize
6KB

MD5
e7199cb108e2d9ff317197efda39bc6e

SHA1
3fbacaa769d4f414c6eee526846072199145f393

SHA256
42e86c028679de9d3b6cdb7792c47cdfee405d6ff599489b07588c7d4df191dc

SHA512
b39a50b5f16f6bd1e6775c2331c374204d6c37994e4c488616d69c90d07e4d97eed95b76ac038c6ebd58847732909d406efcd3b3dcf087bc21221a2e81203814

Download Submit
memory/4892-132-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download
memory/4892-133-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/5024-142-0x0000000004970000-0x00000000049D6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads