eternity | 46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b65c62a9de83a213fce1873edfeb4eb.exe
Size

903KB
MD5

0b65c62a9de83a213fce1873edfeb4eb
SHA1

90e707fda5bcac83b5a7d6d25f481b4746fef511
SHA256

46e9abe7ac68378bb171f81629f4e36291c3889af69045179bbe2e1fee5d1a24
SHA512

c79a5bfe1714bedd424c45159aad759e780f8063a6115dfada1807bf68a630f422115fa321f96625a712a242fd30002f159fc6097ee17bafb76b8691561595f8
SSDEEP

12288:7JTDx4DDlWFKqaHkD2SA1CWo0OiPcYGLstWAGXubKkm6HwJxarhdY95fAm:lTIzqOkD2eN0HchLstFlo6HwJxeDyf

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 3 IoCs

Processes:

TC IconsPack v4.exeTC IconsPack v4.tmptmp8786.tmp.exe

pid process

2004 TC IconsPack v4.exe
576 TC IconsPack v4.tmp
1132 tmp8786.tmp.exe

pid	process
2004	TC IconsPack v4.exe
576	TC IconsPack v4.tmp
1132	tmp8786.tmp.exe

Loads dropped DLL 6 IoCs

Processes:

0b65c62a9de83a213fce1873edfeb4eb.exeTC IconsPack v4.exeTC IconsPack v4.tmp

pid	process
1424	0b65c62a9de83a213fce1873edfeb4eb.exe
2004	TC IconsPack v4.exe
576	TC IconsPack v4.tmp
576	TC IconsPack v4.tmp
576	TC IconsPack v4.tmp
1424	0b65c62a9de83a213fce1873edfeb4eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TC IconsPack v4.tmp

pid process

576 TC IconsPack v4.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp8786.tmp.exe

description pid process

Token: SeDebugPrivilege 1132 tmp8786.tmp.exe

pid	process
576	TC IconsPack v4.tmp

description	pid	process
Token: SeDebugPrivilege	1132	tmp8786.tmp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0b65c62a9de83a213fce1873edfeb4eb.exeTC IconsPack v4.exe

description	pid	process	target process
PID 1424 wrote to memory of 2004	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	TC IconsPack v4.exe
PID 1424 wrote to memory of 2004	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	TC IconsPack v4.exe
PID 1424 wrote to memory of 2004	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	TC IconsPack v4.exe
PID 1424 wrote to memory of 2004	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	TC IconsPack v4.exe
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 2004 wrote to memory of 576	2004	TC IconsPack v4.exe	TC IconsPack v4.tmp
PID 1424 wrote to memory of 1132	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	tmp8786.tmp.exe
PID 1424 wrote to memory of 1132	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	tmp8786.tmp.exe
PID 1424 wrote to memory of 1132	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	tmp8786.tmp.exe
PID 1424 wrote to memory of 1132	1424	0b65c62a9de83a213fce1873edfeb4eb.exe	tmp8786.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0b65c62a9de83a213fce1873edfeb4eb.exe
"C:\Users\Admin\AppData\Local\Temp\0b65c62a9de83a213fce1873edfeb4eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe
"C:\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\is-E34LN.tmp\TC IconsPack v4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E34LN.tmp\TC IconsPack v4.tmp" /SL5="$80122,497149,58880,C:\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:576

C:\Users\Admin\AppData\Local\Temp\tmp8786.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8786.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe
Filesize
807KB

MD5
e33d0eb2d1cadc6a0f31fcc5a6178f5f

SHA1
f97aab00186944feb421b6d50532dc348ec5b690

SHA256
8992b04f6377038d7ffe12ae2644fcf4cb63930c1ac2c27199fd05318a7b3632

SHA512
9cc69c5aef7afa0c05d4aebcf7f5d22be2f4cac361ce753ee2d620a4899cadfbaac940110983d2549f09749b74e6efc580c2069a6126731ef2a9a8f9c1f93814

Download Submit
C:\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe
Filesize
807KB

MD5
e33d0eb2d1cadc6a0f31fcc5a6178f5f

SHA1
f97aab00186944feb421b6d50532dc348ec5b690

SHA256
8992b04f6377038d7ffe12ae2644fcf4cb63930c1ac2c27199fd05318a7b3632

SHA512
9cc69c5aef7afa0c05d4aebcf7f5d22be2f4cac361ce753ee2d620a4899cadfbaac940110983d2549f09749b74e6efc580c2069a6126731ef2a9a8f9c1f93814

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E34LN.tmp\TC IconsPack v4.tmp
Filesize
692KB

MD5
d2c48b12be1e9b01a008c5a0ebc39e85

SHA1
046aa3f9a204536f0bf59143cb8b2e640844fc8c

SHA256
db52368c596ae8b5e724011fc4bc8aa303e7c7741df83b1d1cccc2cec0c549d8

SHA512
281bf1ccf9662cd78441322a1a977d9f08fc14f8e650d06a62d4011194987f0237342c0703131e753ecefdbf324c6403ef81ee6721cb29a92c4694fad88eeb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8786.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8786.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\TC IconsPack v4.exe
Filesize
807KB

MD5
e33d0eb2d1cadc6a0f31fcc5a6178f5f

SHA1
f97aab00186944feb421b6d50532dc348ec5b690

SHA256
8992b04f6377038d7ffe12ae2644fcf4cb63930c1ac2c27199fd05318a7b3632

SHA512
9cc69c5aef7afa0c05d4aebcf7f5d22be2f4cac361ce753ee2d620a4899cadfbaac940110983d2549f09749b74e6efc580c2069a6126731ef2a9a8f9c1f93814

Download Submit
\Users\Admin\AppData\Local\Temp\is-E34LN.tmp\TC IconsPack v4.tmp
Filesize
692KB

MD5
d2c48b12be1e9b01a008c5a0ebc39e85

SHA1
046aa3f9a204536f0bf59143cb8b2e640844fc8c

SHA256
db52368c596ae8b5e724011fc4bc8aa303e7c7741df83b1d1cccc2cec0c549d8

SHA512
281bf1ccf9662cd78441322a1a977d9f08fc14f8e650d06a62d4011194987f0237342c0703131e753ecefdbf324c6403ef81ee6721cb29a92c4694fad88eeb54

Download Submit
\Users\Admin\AppData\Local\Temp\is-OAL8B.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-OAL8B.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OAL8B.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8786.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/576-87-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/576-91-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1132-88-0x0000000001130000-0x000000000114A000-memory.dmp

Filesize
104KB

Download
memory/1132-89-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1132-92-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1424-54-0x0000000000C20000-0x0000000000D06000-memory.dmp

Filesize
920KB

Download
memory/1424-56-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/2004-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2004-90-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download