eternity | 19e566d1b9e2b4249e1db103f78f1b6dc7a278207f9d4ce5c473c7c3776f29ed

General

Target

054fc48c210ae46d4b6616780f43ea9a.exe
Size

166KB
MD5

054fc48c210ae46d4b6616780f43ea9a
SHA1

c2865c58b28bf544d95cd87c9876c7a78504f4a1
SHA256

19e566d1b9e2b4249e1db103f78f1b6dc7a278207f9d4ce5c473c7c3776f29ed
SHA512

610fdf31ce7f7ab7b9c8fe259d3fe3a55126b360f2bb2fe6d6e724845a6dd9c660d37eb64628f765275e13d313608c4fe9e8789b0581d19f96412a0a94527826
SSDEEP

3072:jedqByd5NSEDtVinRl47FYuqjq9EjtoDSnQ6Xw2f2dsO:pC5NI/ClqjqGoDSnQ6wm2

Score

10^/10

eternity discovery

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
1932	badge.exe
1168	tmp1F0E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	054fc48c210ae46d4b6616780f43ea9a.exe
1456	054fc48c210ae46d4b6616780f43ea9a.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	badge.exe
Token: SeDebugPrivilege	1168	tmp1F0E.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	28
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	28
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	28
PID 1456 wrote to memory of 1932	1456	054fc48c210ae46d4b6616780f43ea9a.exe	28
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	29
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	29
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	29
PID 1456 wrote to memory of 1168	1456	054fc48c210ae46d4b6616780f43ea9a.exe	29

C:\Users\Admin\AppData\Local\Temp\054fc48c210ae46d4b6616780f43ea9a.exe
"C:\Users\Admin\AppData\Local\Temp\054fc48c210ae46d4b6616780f43ea9a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\badge.exe
  "C:\Users\Admin\AppData\Local\Temp\badge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\badge.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\badge.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\badge.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1F0E.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/1168-72-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/1168-73-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1168-75-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1456-56-0x0000000004190000-0x00000000041D0000-memory.dmp

Filesize
256KB

Download
memory/1456-54-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/1932-64-0x00000000010A0000-0x00000000010BA000-memory.dmp

Filesize
104KB

Download
memory/1932-65-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1932-74-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing