eternity | 4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/03/2023, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.1MB
MD5

0025bb6d0a9d41a97e19d014fd237e09
SHA1

2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb
SHA256

4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038
SHA512

23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec
SSDEEP

49152:1jzUCIk+1a7hKVy7fH6PlTooUy9KhJNN38g:5UCIk+E7h/fBFGKhF3

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Deletes itself 1 IoCs

pid	Process
328	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
1808	file.exe
1908	file.exe
1260	file.exe
1660	file.exe
2044	file.exe
1616	file.exe
436	file.exe

Loads dropped DLL 1 IoCs

pid	Process
328	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 436	1372	file.exe	29
PID 1808 set thread context of 1660	1808	file.exe	40
PID 1908 set thread context of 2044	1908	file.exe	41
PID 1616 set thread context of 436	1616	file.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
788	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
848	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1372	file.exe
1808	file.exe
1808	file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	file.exe
Token: SeDebugPrivilege	1808	file.exe
Token: SeDebugPrivilege	1660	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 972	1372	file.exe	28
PID 1372 wrote to memory of 972	1372	file.exe	28
PID 1372 wrote to memory of 972	1372	file.exe	28
PID 1372 wrote to memory of 972	1372	file.exe	28
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 1372 wrote to memory of 436	1372	file.exe	29
PID 436 wrote to memory of 328	436	file.exe	31
PID 436 wrote to memory of 328	436	file.exe	31
PID 436 wrote to memory of 328	436	file.exe	31
PID 436 wrote to memory of 328	436	file.exe	31
PID 328 wrote to memory of 864	328	cmd.exe	33
PID 328 wrote to memory of 864	328	cmd.exe	33
PID 328 wrote to memory of 864	328	cmd.exe	33
PID 328 wrote to memory of 864	328	cmd.exe	33
PID 328 wrote to memory of 848	328	cmd.exe	34
PID 328 wrote to memory of 848	328	cmd.exe	34
PID 328 wrote to memory of 848	328	cmd.exe	34
PID 328 wrote to memory of 848	328	cmd.exe	34
PID 328 wrote to memory of 788	328	cmd.exe	35
PID 328 wrote to memory of 788	328	cmd.exe	35
PID 328 wrote to memory of 788	328	cmd.exe	35
PID 328 wrote to memory of 788	328	cmd.exe	35
PID 328 wrote to memory of 1808	328	cmd.exe	36
PID 328 wrote to memory of 1808	328	cmd.exe	36
PID 328 wrote to memory of 1808	328	cmd.exe	36
PID 328 wrote to memory of 1808	328	cmd.exe	36
PID 948 wrote to memory of 1908	948	taskeng.exe	38
PID 948 wrote to memory of 1908	948	taskeng.exe	38
PID 948 wrote to memory of 1908	948	taskeng.exe	38
PID 948 wrote to memory of 1908	948	taskeng.exe	38
PID 1808 wrote to memory of 1260	1808	file.exe	39
PID 1808 wrote to memory of 1260	1808	file.exe	39
PID 1808 wrote to memory of 1260	1808	file.exe	39
PID 1808 wrote to memory of 1260	1808	file.exe	39
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1808 wrote to memory of 1660	1808	file.exe	40
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 1908 wrote to memory of 2044	1908	file.exe	41
PID 948 wrote to memory of 1616	948	taskeng.exe	42
PID 948 wrote to memory of 1616	948	taskeng.exe	42
PID 948 wrote to memory of 1616	948	taskeng.exe	42
PID 948 wrote to memory of 1616	948	taskeng.exe	42
PID 1616 wrote to memory of 436	1616	file.exe	43

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "{path}"
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\file.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:864
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:848
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "file" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\file.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:788
  - - C:\Users\Admin\AppData\Local\ServiceHub\file.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:1260
    - - C:\Users\Admin\AppData\Local\ServiceHub\file.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {74B240BB-11F3-4304-B334-5DF98DC9BF41} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\ServiceHub\file.exe
  C:\Users\Admin\AppData\Local\ServiceHub\file.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\ServiceHub\file.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:2044
- C:\Users\Admin\AppData\Local\ServiceHub\file.exe
  C:\Users\Admin\AppData\Local\ServiceHub\file.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\ServiceHub\file.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
\Users\Admin\AppData\Local\ServiceHub\file.exe

Filesize
2.1MB

MD5
0025bb6d0a9d41a97e19d014fd237e09

SHA1
2cf196d7bd6ab6a27b2a0605cba0b89fa70d66fb

SHA256
4c94ced8bc0b5686daaa87c648fbbf99f5d14cf24befd3a203138505901db038

SHA512
23f66dbe24001354d6fbf809208d8994954d9a86d154f72b54a0ec1542885b3777a4efb6a51900deea45acb60c71dc49d6e434391c14d8349b48d8330079cdec

Download Submit
memory/436-62-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-61-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-65-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-67-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-69-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-63-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-60-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/436-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1372-55-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1372-54-0x0000000000070000-0x0000000000290000-memory.dmp

Filesize
2.1MB

Download
memory/1372-56-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/1372-59-0x000000000BE00000-0x000000000BF52000-memory.dmp

Filesize
1.3MB

Download
memory/1372-57-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1372-58-0x0000000008630000-0x00000000087D4000-memory.dmp

Filesize
1.6MB

Download
memory/1616-106-0x0000000005000000-0x0000000005040000-memory.dmp

Filesize
256KB

Download
memory/1660-90-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1660-88-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1660-91-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/1660-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1660-104-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/1808-76-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1808-75-0x0000000000B00000-0x0000000000D20000-memory.dmp

Filesize
2.1MB

Download
memory/1908-92-0x00000000051B0000-0x00000000051F0000-memory.dmp

Filesize
256KB

Download
memory/1908-78-0x00000000051B0000-0x00000000051F0000-memory.dmp

Filesize
256KB

Download