eternity | 34803abdc815b2e0281bf3bf1c96f3dc0f22c0d0f21199db18801aa002826d80

General

Target

273567c887a4ae2789800f1459ac9094.exe
Size

128KB
MD5

273567c887a4ae2789800f1459ac9094
SHA1

54a3061e78ac80b569d3ab8f1a9b431288181701
SHA256

34803abdc815b2e0281bf3bf1c96f3dc0f22c0d0f21199db18801aa002826d80
SHA512

735e0f7dfba10d9d9cf4d557f03b003fd567d0a6b40e43a51add43f5bc62f12dc62c8a62f2aa9bbebe699d353285dedba15181558c2c2a67fab533b5632a43ea
SSDEEP

3072:I1x70t1fFGanxr0OH1JUK3wAnacZvE5s:I1x7+1fF1YOH1eMwAnacO

Score

10^/10

eternity discovery

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

jabswitch.exetmpE56B.tmp.exe

pid process

916 jabswitch.exe
284 tmpE56B.tmp.exe
Loads dropped DLL 3 IoCs

Processes:

273567c887a4ae2789800f1459ac9094.exe

pid process

1636 273567c887a4ae2789800f1459ac9094.exe
1692
1636 273567c887a4ae2789800f1459ac9094.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmpE56B.tmp.exe

description pid process

Token: SeDebugPrivilege 284 tmpE56B.tmp.exe

pid	process
916	jabswitch.exe
284	tmpE56B.tmp.exe

pid	process
1636	273567c887a4ae2789800f1459ac9094.exe
1692
1636	273567c887a4ae2789800f1459ac9094.exe

description	pid	process
Token: SeDebugPrivilege	284	tmpE56B.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

273567c887a4ae2789800f1459ac9094.exe

description	pid	process	target process
PID 1636 wrote to memory of 916	1636	273567c887a4ae2789800f1459ac9094.exe	jabswitch.exe
PID 1636 wrote to memory of 916	1636	273567c887a4ae2789800f1459ac9094.exe	jabswitch.exe
PID 1636 wrote to memory of 916	1636	273567c887a4ae2789800f1459ac9094.exe	jabswitch.exe
PID 1636 wrote to memory of 916	1636	273567c887a4ae2789800f1459ac9094.exe	jabswitch.exe
PID 1636 wrote to memory of 284	1636	273567c887a4ae2789800f1459ac9094.exe	tmpE56B.tmp.exe
PID 1636 wrote to memory of 284	1636	273567c887a4ae2789800f1459ac9094.exe	tmpE56B.tmp.exe
PID 1636 wrote to memory of 284	1636	273567c887a4ae2789800f1459ac9094.exe	tmpE56B.tmp.exe
PID 1636 wrote to memory of 284	1636	273567c887a4ae2789800f1459ac9094.exe	tmpE56B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\273567c887a4ae2789800f1459ac9094.exe
"C:\Users\Admin\AppData\Local\Temp\273567c887a4ae2789800f1459ac9094.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\jabswitch.exe
"C:\Users\Admin\AppData\Local\Temp\jabswitch.exe"
2⤵
- Executes dropped EXE
PID:916

C:\Users\Admin\AppData\Local\Temp\tmpE56B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpE56B.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jabswitch.exe
Filesize
33KB

MD5
1a496db0e43e0fe366c7286314b65e05

SHA1
685293fdc6362e0f69236523326b29e33133381e

SHA256
4219fdd8ea118be869a497a0f777488af516ff087d34b76bed3868d6e8f457c4

SHA512
895ed08ffa2b224df31b33dc6a363a016ed6dc3251085e04c48897db7ad2dc9b5a5e3f31955d594b00069c981b4e8eb2dce2f2983eab7786b291cd47f68b12aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE56B.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE56B.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\jabswitch.exe
Filesize
33KB

MD5
1a496db0e43e0fe366c7286314b65e05

SHA1
685293fdc6362e0f69236523326b29e33133381e

SHA256
4219fdd8ea118be869a497a0f777488af516ff087d34b76bed3868d6e8f457c4

SHA512
895ed08ffa2b224df31b33dc6a363a016ed6dc3251085e04c48897db7ad2dc9b5a5e3f31955d594b00069c981b4e8eb2dce2f2983eab7786b291cd47f68b12aa

Download Submit
\Users\Admin\AppData\Local\Temp\jabswitch.exe
Filesize
33KB

MD5
1a496db0e43e0fe366c7286314b65e05

SHA1
685293fdc6362e0f69236523326b29e33133381e

SHA256
4219fdd8ea118be869a497a0f777488af516ff087d34b76bed3868d6e8f457c4

SHA512
895ed08ffa2b224df31b33dc6a363a016ed6dc3251085e04c48897db7ad2dc9b5a5e3f31955d594b00069c981b4e8eb2dce2f2983eab7786b291cd47f68b12aa

Download Submit
\Users\Admin\AppData\Local\Temp\tmpE56B.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/284-69-0x0000000000EB0000-0x0000000000ECA000-memory.dmp

Filesize
104KB

Download
memory/284-70-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/284-71-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1636-54-0x00000000012B0000-0x00000000012D6000-memory.dmp

Filesize
152KB

Download
memory/1636-56-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing