eternity | e19ff8cad63099065c403f206caa9fd950b732aeb28c3189dea419f5207e035d

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

025fe9e8bd3665254c3b4494885eb84e.exe
Size

549KB
MD5

025fe9e8bd3665254c3b4494885eb84e
SHA1

500f6ee879a6d00fc6e393699c4f5415bd4da68a
SHA256

e19ff8cad63099065c403f206caa9fd950b732aeb28c3189dea419f5207e035d
SHA512

cc14ddb646332892084aa7e7374cb7345fd024f09b72c20efcc767dcbe40414bed74d1c0c8b5b543327836b6da3703f9f714a4d96248d6e9ea60203639e8e706
SSDEEP

12288:i0MlE4sdpmt1VCrTabAdgel1LqL+cszd0tppwZCGD:97b2fkeGgelQszd0tppiDD

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 1 IoCs

Processes:

SpeechUXWiz.exe

pid process

1800 SpeechUXWiz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 2028 WerFault.exe 025fe9e8bd3665254c3b4494885eb84e.exe

pid	process
1800	SpeechUXWiz.exe

pid	pid_target	process	target process
1648	2028	WerFault.exe	025fe9e8bd3665254c3b4494885eb84e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

025fe9e8bd3665254c3b4494885eb84e.exe

description	pid	process	target process
PID 2028 wrote to memory of 1648	2028	025fe9e8bd3665254c3b4494885eb84e.exe	WerFault.exe
PID 2028 wrote to memory of 1648	2028	025fe9e8bd3665254c3b4494885eb84e.exe	WerFault.exe
PID 2028 wrote to memory of 1648	2028	025fe9e8bd3665254c3b4494885eb84e.exe	WerFault.exe
PID 2028 wrote to memory of 1648	2028	025fe9e8bd3665254c3b4494885eb84e.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\025fe9e8bd3665254c3b4494885eb84e.exe
"C:\Users\Admin\AppData\Local\Temp\025fe9e8bd3665254c3b4494885eb84e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exe
"C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exe"
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 900
2⤵
- Program crash
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SpeechUXWiz.exe
Filesize
455KB

MD5
02bce04d6192eb6bc85a195e0187e707

SHA1
975ecd7e4d51da13584f8453c9e4959fb94c0545

SHA256
6fa424ddd31e80d679d987fd94fb2a35d8bbead7f5f09404af531b46dbae85b6

SHA512
f1b82d484867585e206a2d48b64791724ed9aae57fe55fae755a786bee228482cb9cbc03b1e84cfa4d7fd5bbda0f733fe9500c8303834e3b23fb89580f589733

Download Submit
memory/2028-54-0x0000000000140000-0x00000000001CE000-memory.dmp

Filesize
568KB

Download
memory/2028-56-0x00000000048D0000-0x0000000004910000-memory.dmp

Filesize
256KB

Download
memory/2028-60-0x00000000048D0000-0x0000000004910000-memory.dmp

Filesize
256KB

Download