eternity | 0bb5ca376bcee3ffac89779a8c741609d408aeabce082cc0d6a56178072d0ba2

General

Target

27cdd8295412807884367cacce385863.exe
Size

3.4MB
MD5

27cdd8295412807884367cacce385863
SHA1

056403ac0d8f65326df3d985c81f2693a7183c4d
SHA256

0bb5ca376bcee3ffac89779a8c741609d408aeabce082cc0d6a56178072d0ba2
SHA512

33643557f4faed26fa094a4d01b191d5ae69302e4674f4e67b8c196c7b819e594ba9df888cf2d81f6b9671a9f53ebb080cca63d7e217cabc7458f340bd30c139
SSDEEP

49152:Nk+ecsCppv+EtXldahjdHoK2Ss4gHtRBnDfcivTNqG3zpmnRWs5TgPzSAenW1:OAs2B+aXld8mNT7pbTl+/9W

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 2 IoCs

Processes:

EpicGamesLauncher.exetmpD89D.tmp.exe

pid process

1208 EpicGamesLauncher.exe
560 tmpD89D.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

27cdd8295412807884367cacce385863.exe

pid process

1352 27cdd8295412807884367cacce385863.exe
1352 27cdd8295412807884367cacce385863.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmpD89D.tmp.exe

description pid process

Token: SeDebugPrivilege 560 tmpD89D.tmp.exe

pid	process
1208	EpicGamesLauncher.exe
560	tmpD89D.tmp.exe

pid	process
1352	27cdd8295412807884367cacce385863.exe
1352	27cdd8295412807884367cacce385863.exe

description	pid	process
Token: SeDebugPrivilege	560	tmpD89D.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

27cdd8295412807884367cacce385863.exe

description	pid	process	target process
PID 1352 wrote to memory of 1208	1352	27cdd8295412807884367cacce385863.exe	EpicGamesLauncher.exe
PID 1352 wrote to memory of 1208	1352	27cdd8295412807884367cacce385863.exe	EpicGamesLauncher.exe
PID 1352 wrote to memory of 1208	1352	27cdd8295412807884367cacce385863.exe	EpicGamesLauncher.exe
PID 1352 wrote to memory of 1208	1352	27cdd8295412807884367cacce385863.exe	EpicGamesLauncher.exe
PID 1352 wrote to memory of 560	1352	27cdd8295412807884367cacce385863.exe	tmpD89D.tmp.exe
PID 1352 wrote to memory of 560	1352	27cdd8295412807884367cacce385863.exe	tmpD89D.tmp.exe
PID 1352 wrote to memory of 560	1352	27cdd8295412807884367cacce385863.exe	tmpD89D.tmp.exe
PID 1352 wrote to memory of 560	1352	27cdd8295412807884367cacce385863.exe	tmpD89D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\27cdd8295412807884367cacce385863.exe
"C:\Users\Admin\AppData\Local\Temp\27cdd8295412807884367cacce385863.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"
2⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
Filesize
3.3MB

MD5
845dacc5b6721cfe823d6838f82f35ba

SHA1
6875a4a238e08c1b9253e0ffcabfc6326f62dc14

SHA256
1e18c1b41b85604d8d515d4526a6f6ef338a64b3196744a90268f1d3acd21fca

SHA512
22894c971b23a12aaec4d28cf7481589ad129cdad219a882f29e9ad7e121e8ae0293c413c352d1a4eda7ecdc57a663a4403c8b807092897481a7242f97a31a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
Filesize
3.3MB

MD5
845dacc5b6721cfe823d6838f82f35ba

SHA1
6875a4a238e08c1b9253e0ffcabfc6326f62dc14

SHA256
1e18c1b41b85604d8d515d4526a6f6ef338a64b3196744a90268f1d3acd21fca

SHA512
22894c971b23a12aaec4d28cf7481589ad129cdad219a882f29e9ad7e121e8ae0293c413c352d1a4eda7ecdc57a663a4403c8b807092897481a7242f97a31a87

Download Submit
\Users\Admin\AppData\Local\Temp\tmpD89D.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/560-68-0x0000000000DB0000-0x0000000000DCA000-memory.dmp

Filesize
104KB

Download
memory/560-69-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/560-70-0x0000000000D30000-0x0000000000D70000-memory.dmp

Filesize
256KB

Download
memory/1352-54-0x0000000000180000-0x00000000004F2000-memory.dmp

Filesize
3.4MB

Download
memory/1352-56-0x00000000043F0000-0x0000000004430000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing