eternity | 0396e012683038f15388fac6b1db2db167572ee5288ebe8cb61c0c189d0b87e8

Analysis

max time kernel
131s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006a0eecd58bad79212c0c4757cfb264.exe
Size

101KB
MD5

006a0eecd58bad79212c0c4757cfb264
SHA1

59ec2fa436052ba3a4deffe0f8e65d952c12df8d
SHA256

0396e012683038f15388fac6b1db2db167572ee5288ebe8cb61c0c189d0b87e8
SHA512

61ac341d684a721433b48f93c99c32e402711d0b1541688255bb9f9a719348f1ce40876e347704efdc1ad7c559650f63dd5f8244c71439a3d327d06c54ae2acd
SSDEEP

1536:uEerxZK7ZEJgahcqa3NfjGYjIhE2i7PccDnNMM1QFE0gHI9n/kdRaAWXVNr5Y7RW:ObSZChhS3NrVJxDnNLaAWDri9gHf

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	006a0eecd58bad79212c0c4757cfb264.exe

Executes dropped EXE 2 IoCs

pid	Process
3892	MigRegDB.exe
4064	tmp352F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	tmp352F.tmp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 3892	968	006a0eecd58bad79212c0c4757cfb264.exe	85
PID 968 wrote to memory of 3892	968	006a0eecd58bad79212c0c4757cfb264.exe	85
PID 968 wrote to memory of 3892	968	006a0eecd58bad79212c0c4757cfb264.exe	85
PID 968 wrote to memory of 4064	968	006a0eecd58bad79212c0c4757cfb264.exe	87
PID 968 wrote to memory of 4064	968	006a0eecd58bad79212c0c4757cfb264.exe	87
PID 968 wrote to memory of 4064	968	006a0eecd58bad79212c0c4757cfb264.exe	87

C:\Users\Admin\AppData\Local\Temp\006a0eecd58bad79212c0c4757cfb264.exe
"C:\Users\Admin\AppData\Local\Temp\006a0eecd58bad79212c0c4757cfb264.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\MigRegDB.exe
  "C:\Users\Admin\AppData\Local\Temp\MigRegDB.exe"
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\tmp352F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp352F.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MigRegDB.exe

Filesize
11KB

MD5
8ab05c31c23248c2ae46809d5fb73e33

SHA1
242c046a5fd614242e047d4c4bece9fdc375c952

SHA256
781e7f15682ffc1d7d523baa7835084199568054ab5161d63ba6a338b270d202

SHA512
81a1820beeae5f811716da764a54f8ba8595a6a533cc63efdfcd178ea84561153deff8434c8d804d7aa4b815f93e9dfc1fb986ae6d25f8b7f36866a159ae52de

Download Submit
C:\Users\Admin\AppData\Local\Temp\MigRegDB.exe

Filesize
11KB

MD5
8ab05c31c23248c2ae46809d5fb73e33

SHA1
242c046a5fd614242e047d4c4bece9fdc375c952

SHA256
781e7f15682ffc1d7d523baa7835084199568054ab5161d63ba6a338b270d202

SHA512
81a1820beeae5f811716da764a54f8ba8595a6a533cc63efdfcd178ea84561153deff8434c8d804d7aa4b815f93e9dfc1fb986ae6d25f8b7f36866a159ae52de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp352F.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp352F.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp352F.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/968-133-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/968-135-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4064-157-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/4064-158-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/4064-159-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download