eternity | 4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4009a5e54d89221d9c9cfd34c3e04201.exe
Size

217KB
MD5

4009a5e54d89221d9c9cfd34c3e04201
SHA1

d0f82788f5ba6c602d7d5be43d990acc8d309654
SHA256

4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0
SHA512

54288b3e03c93859d156a85e17c7193d00c046bbfdd6828bd8b3b00cf4045aea00796942084935d7a596268cebf278d7373ff7e9a5c94b2e3fe274cf3685afd7
SSDEEP

6144:v5A67XaDrATRPg4pHgmedrWX6GTBz6mX9QVI:BAe66ZpleUvBz6Lq

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

AppLaunch.exetmpEAA2.tmp.exe

pid process

1100 AppLaunch.exe
280 tmpEAA2.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

4009a5e54d89221d9c9cfd34c3e04201.exe

pid process

1692 4009a5e54d89221d9c9cfd34c3e04201.exe
1692 4009a5e54d89221d9c9cfd34c3e04201.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmpEAA2.tmp.exe

description pid process

Token: SeDebugPrivilege 280 tmpEAA2.tmp.exe

pid	process
1100	AppLaunch.exe
280	tmpEAA2.tmp.exe

pid	process
1692	4009a5e54d89221d9c9cfd34c3e04201.exe
1692	4009a5e54d89221d9c9cfd34c3e04201.exe

description	pid	process
Token: SeDebugPrivilege	280	tmpEAA2.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4009a5e54d89221d9c9cfd34c3e04201.exe

description	pid	process	target process
PID 1692 wrote to memory of 1100	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	AppLaunch.exe
PID 1692 wrote to memory of 1100	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	AppLaunch.exe
PID 1692 wrote to memory of 1100	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	AppLaunch.exe
PID 1692 wrote to memory of 1100	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	AppLaunch.exe
PID 1692 wrote to memory of 280	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	tmpEAA2.tmp.exe
PID 1692 wrote to memory of 280	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	tmpEAA2.tmp.exe
PID 1692 wrote to memory of 280	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	tmpEAA2.tmp.exe
PID 1692 wrote to memory of 280	1692	4009a5e54d89221d9c9cfd34c3e04201.exe	tmpEAA2.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4009a5e54d89221d9c9cfd34c3e04201.exe
"C:\Users\Admin\AppData\Local\Temp\4009a5e54d89221d9c9cfd34c3e04201.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe
"C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe"
2⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe
Filesize
121KB

MD5
e9c3ec13a9c77b393692d748d8eb83ce

SHA1
729e44ce32bc0709642eb79c46bd8c3e9f91232b

SHA256
3682f6c9357e653150b1b7a96c30347e1abfa368a356db7c65a4c805f4eeb25e

SHA512
f1bdcc7cded610b6821b8a322546864495dbd371ebed3fbe683bc3e3751ed57c6ecfdfe8fe701c77d9e1ee698406cb9d1c7b4e15b079f89a430895343ab51e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\AppLaunch.exe
Filesize
121KB

MD5
e9c3ec13a9c77b393692d748d8eb83ce

SHA1
729e44ce32bc0709642eb79c46bd8c3e9f91232b

SHA256
3682f6c9357e653150b1b7a96c30347e1abfa368a356db7c65a4c805f4eeb25e

SHA512
f1bdcc7cded610b6821b8a322546864495dbd371ebed3fbe683bc3e3751ed57c6ecfdfe8fe701c77d9e1ee698406cb9d1c7b4e15b079f89a430895343ab51e79

Download Submit
\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/280-68-0x0000000000190000-0x00000000001AA000-memory.dmp

Filesize
104KB

Download
memory/280-69-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/280-70-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1692-54-0x0000000000F20000-0x0000000000F5C000-memory.dmp

Filesize
240KB

Download
memory/1692-56-0x0000000000690000-0x00000000006D0000-memory.dmp

Filesize
256KB

Download