eternity | 25b4a9aa2ac6722d1369c5a5d78aeeadb2cfffb4dc85be0878e6a7c84cee57c4

General

Target

27d3a6830b69e204d697b55973f8aeee.exe
Size

170KB
MD5

27d3a6830b69e204d697b55973f8aeee
SHA1

290a3ac46cad1085619f251ed2bb8617d4925d71
SHA256

25b4a9aa2ac6722d1369c5a5d78aeeadb2cfffb4dc85be0878e6a7c84cee57c4
SHA512

9563bf93ed16298ee0a8efca9cb07b811deefb7ebdb48f87a926b5e4884405ac3bd1e0990000020ffdf8c228d57a61ea89292037cc5a68b8d0bf72501175581c
SSDEEP

3072:H5Amlz0sC++in5op8sNjlL7473FwtYA2JoMX4PuYNWwI1GJ171dwY2TIof:Z3m5pA7V/Lsw1A1pdPFo

Score

10^/10

eternity discovery

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

AccountSmallLogo.exetmp152C.tmp.exe

pid process

1508 AccountSmallLogo.exe
1748 tmp152C.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

27d3a6830b69e204d697b55973f8aeee.exe

pid process

1704 27d3a6830b69e204d697b55973f8aeee.exe
1704 27d3a6830b69e204d697b55973f8aeee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AccountSmallLogo.exetmp152C.tmp.exe

description pid process

Token: SeDebugPrivilege 1508 AccountSmallLogo.exe
Token: SeDebugPrivilege 1748 tmp152C.tmp.exe

pid	process
1508	AccountSmallLogo.exe
1748	tmp152C.tmp.exe

pid	process
1704	27d3a6830b69e204d697b55973f8aeee.exe
1704	27d3a6830b69e204d697b55973f8aeee.exe

description	pid	process
Token: SeDebugPrivilege	1508	AccountSmallLogo.exe
Token: SeDebugPrivilege	1748	tmp152C.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

27d3a6830b69e204d697b55973f8aeee.exe

description	pid	process	target process
PID 1704 wrote to memory of 1508	1704	27d3a6830b69e204d697b55973f8aeee.exe	AccountSmallLogo.exe
PID 1704 wrote to memory of 1508	1704	27d3a6830b69e204d697b55973f8aeee.exe	AccountSmallLogo.exe
PID 1704 wrote to memory of 1508	1704	27d3a6830b69e204d697b55973f8aeee.exe	AccountSmallLogo.exe
PID 1704 wrote to memory of 1508	1704	27d3a6830b69e204d697b55973f8aeee.exe	AccountSmallLogo.exe
PID 1704 wrote to memory of 1748	1704	27d3a6830b69e204d697b55973f8aeee.exe	tmp152C.tmp.exe
PID 1704 wrote to memory of 1748	1704	27d3a6830b69e204d697b55973f8aeee.exe	tmp152C.tmp.exe
PID 1704 wrote to memory of 1748	1704	27d3a6830b69e204d697b55973f8aeee.exe	tmp152C.tmp.exe
PID 1704 wrote to memory of 1748	1704	27d3a6830b69e204d697b55973f8aeee.exe	tmp152C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\27d3a6830b69e204d697b55973f8aeee.exe
"C:\Users\Admin\AppData\Local\Temp\27d3a6830b69e204d697b55973f8aeee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\AccountSmallLogo.exe
"C:\Users\Admin\AppData\Local\Temp\AccountSmallLogo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AccountSmallLogo.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AccountSmallLogo.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\AccountSmallLogo.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp152C.tmp.exe
Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/1508-64-0x0000000000C70000-0x0000000000C8A000-memory.dmp

Filesize
104KB

Download
memory/1508-65-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/1508-74-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/1704-56-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/1704-54-0x0000000000FE0000-0x0000000001010000-memory.dmp

Filesize
192KB

Download
memory/1748-72-0x00000000012C0000-0x00000000012DA000-memory.dmp

Filesize
104KB

Download
memory/1748-73-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1748-75-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing