eternity | 19e566d1b9e2b4249e1db103f78f1b6dc7a278207f9d4ce5c473c7c3776f29ed

General

Target

054fc48c210ae46d4b6616780f43ea9a.exe
Size

166KB
MD5

054fc48c210ae46d4b6616780f43ea9a
SHA1

c2865c58b28bf544d95cd87c9876c7a78504f4a1
SHA256

19e566d1b9e2b4249e1db103f78f1b6dc7a278207f9d4ce5c473c7c3776f29ed
SHA512

610fdf31ce7f7ab7b9c8fe259d3fe3a55126b360f2bb2fe6d6e724845a6dd9c660d37eb64628f765275e13d313608c4fe9e8789b0581d19f96412a0a94527826
SSDEEP

3072:jedqByd5NSEDtVinRl47FYuqjq9EjtoDSnQ6Xw2f2dsO:pC5NI/ClqjqGoDSnQ6wm2

Score

10^/10

eternity discovery

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

badge.exetmp1F0E.tmp.exe

pid process

1932 badge.exe
1168 tmp1F0E.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

054fc48c210ae46d4b6616780f43ea9a.exe

pid process

1456 054fc48c210ae46d4b6616780f43ea9a.exe
1456 054fc48c210ae46d4b6616780f43ea9a.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

badge.exetmp1F0E.tmp.exe

description pid process

Token: SeDebugPrivilege 1932 badge.exe
Token: SeDebugPrivilege 1168 tmp1F0E.tmp.exe

pid	process
1932	badge.exe
1168	tmp1F0E.tmp.exe

pid	process
1456	054fc48c210ae46d4b6616780f43ea9a.exe
1456	054fc48c210ae46d4b6616780f43ea9a.exe

description	pid	process
Token: SeDebugPrivilege	1932	badge.exe
Token: SeDebugPrivilege	1168	tmp1F0E.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

054fc48c210ae46d4b6616780f43ea9a.exe

description	pid	process	target process
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	badge.exe
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	badge.exe
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	badge.exe
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	badge.exe
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	tmp1F0E.tmp.exe
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	tmp1F0E.tmp.exe
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	tmp1F0E.tmp.exe
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	tmp1F0E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\054fc48c210ae46d4b6616780f43ea9a.exe
"C:\Users\Admin\AppData\Local\Temp\054fc48c210ae46d4b6616780f43ea9a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\badge.exe
"C:\Users\Admin\AppData\Local\Temp\badge.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\badge.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\badge.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\badge.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/1168-72-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/1168-73-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1168-75-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1456-56-0x0000000004190000-0x00000000041D0000-memory.dmp

Filesize
256KB

Download
memory/1456-54-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/1932-64-0x00000000010A0000-0x00000000010BA000-memory.dmp

Filesize
104KB

Download
memory/1932-65-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1932-74-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing