eternity | 5d007b2e9db06688735624bd49cbf01853685fbbb872e98173e87c07bd5f4533

Analysis

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038789d6cef36f7c28a3131c0bf3dff5.exe
Size

1.7MB
MD5

038789d6cef36f7c28a3131c0bf3dff5
SHA1

f1d1523f31df0c6c36234692de3c5ead577e9578
SHA256

5d007b2e9db06688735624bd49cbf01853685fbbb872e98173e87c07bd5f4533
SHA512

a8b7f2e60904693c9f9b0499d21d653cef8fc82058d8d68ed40692508b25a952ac6505cdade7205f819a2e8f60de0230db2c235329bbb468f3f4536de3353951
SSDEEP

24576:21H1ulUSNugkX6i1v0qNka1R1EUymL+95IekCoVvfxm9C64XZV:23uKL6Cka6SMo14obX

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 1 IoCs

Processes:

ShellExperienceHost.exe

pid process

1924 ShellExperienceHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1128 1048 WerFault.exe 038789d6cef36f7c28a3131c0bf3dff5.exe

pid	process
1924	ShellExperienceHost.exe

pid	pid_target	process	target process
1128	1048	WerFault.exe	038789d6cef36f7c28a3131c0bf3dff5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

038789d6cef36f7c28a3131c0bf3dff5.exe

description	pid	process	target process
PID 1048 wrote to memory of 1128	1048	038789d6cef36f7c28a3131c0bf3dff5.exe	WerFault.exe
PID 1048 wrote to memory of 1128	1048	038789d6cef36f7c28a3131c0bf3dff5.exe	WerFault.exe
PID 1048 wrote to memory of 1128	1048	038789d6cef36f7c28a3131c0bf3dff5.exe	WerFault.exe
PID 1048 wrote to memory of 1128	1048	038789d6cef36f7c28a3131c0bf3dff5.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\038789d6cef36f7c28a3131c0bf3dff5.exe
"C:\Users\Admin\AppData\Local\Temp\038789d6cef36f7c28a3131c0bf3dff5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
"C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 920
2⤵
- Program crash
PID:1128

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
Filesize
1.6MB

MD5
4743db60c94dc6af7b5443115df4cdcc

SHA1
5c15eb26989b7e3bc04d343ae926fd668636b630

SHA256
4c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59

SHA512
ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b

Download Submit
memory/1048-54-0x0000000000950000-0x0000000000B02000-memory.dmp

Filesize
1.7MB

Download
memory/1048-56-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download
memory/1048-60-0x00000000042A0000-0x00000000042E0000-memory.dmp

Filesize
256KB

Download