eternity | 8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe
Size

1.7MB
MD5

28dfcf156ed2ac3a05ad4dc7dffc7b1d
SHA1

80a3c0309c9976d7f4e12fa1d43f589a5e9bb4fc
SHA256

8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035
SHA512

f4c87135c7b92ab76be07de36e4435ab03609243661d3e19c78e7f2faa825b7af0ff937d64063bd903ca0f45618629b1bb41df4c37368eeb477915e9ffe11238
SSDEEP

49152:sZzujF1mUmQW1CTB8/cRAfC30buKZYZRDDE7iQ8FfRJJegqrO4V:Iqbm/QW1CC/cRAs2a4V

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 1 IoCs

Processes:

ShellExperienceHost.exe

pid process

584 ShellExperienceHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

436 2000 WerFault.exe 28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe

pid	process
584	ShellExperienceHost.exe

pid	pid_target	process	target process
436	2000	WerFault.exe	28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe

description	pid	process	target process
PID 2000 wrote to memory of 436	2000	28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe	WerFault.exe
PID 2000 wrote to memory of 436	2000	28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe	WerFault.exe
PID 2000 wrote to memory of 436	2000	28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe	WerFault.exe
PID 2000 wrote to memory of 436	2000	28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe
"C:\Users\Admin\AppData\Local\Temp\28dfcf156ed2ac3a05ad4dc7dffc7b1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
"C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"
2⤵
- Executes dropped EXE
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 928
2⤵
- Program crash
PID:436

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
Filesize
1.6MB

MD5
4743db60c94dc6af7b5443115df4cdcc

SHA1
5c15eb26989b7e3bc04d343ae926fd668636b630

SHA256
4c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59

SHA512
ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b

Download Submit
memory/2000-54-0x0000000000C40000-0x0000000000DF2000-memory.dmp

Filesize
1.7MB

Download
memory/2000-56-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download