eternity | 2eaf826b2e3ec790969d94b4c79e606aa2ddc029588d6fc54e249ec8b4a62fcc

General

Target

6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe
Size

328KB
MD5

0b2226a16d3c7e938cbe1e1c3133fddc
SHA1

a0073232ca2d4495735ef74d899701ba8f7d139b
SHA256

6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748
SHA512

47f30dc7dee949fb63f3e6b378fd27d7eaf64e3702a310d5d04295e653447f56c4ace70b6dca4d275ea7cb1953aea6085956092ac5676bf12ac5e45386a6f1ef
SSDEEP

6144:xcOCqSMGopjWOcF6s6vgWEUMmyUKD5uYiTwQwcZyY2rw:xcO+SjoFmgWVyUKRgy9rw

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
1028	Microsoft.AAD.BrokerPlugin.exe
852	tmp1351.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe
2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe
2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	tmp1351.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1028	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	28
PID 2032 wrote to memory of 1028	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	28
PID 2032 wrote to memory of 1028	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	28
PID 2032 wrote to memory of 1028	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	28
PID 2032 wrote to memory of 852	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	29
PID 2032 wrote to memory of 852	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	29
PID 2032 wrote to memory of 852	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	29
PID 2032 wrote to memory of 852	2032	6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe	29

C:\Users\Admin\AppData\Local\Temp\6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe
"C:\Users\Admin\AppData\Local\Temp\6f58b413b2d7d36f56b46f4fa119806b9f3f335c90bdb5fb2a7313bb15c61748.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe"
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\tmp1351.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1351.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1351.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1351.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1351.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/852-71-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

Filesize
104KB

Download
memory/852-72-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/852-73-0x0000000000760000-0x00000000007A0000-memory.dmp

Filesize
256KB

Download
memory/2032-54-0x0000000000140000-0x0000000000198000-memory.dmp

Filesize
352KB

Download
memory/2032-56-0x0000000004830000-0x0000000004870000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing