eternity | 8449c21ff291ad95f213aec15248c2f7d1c68e5b2200ceb80f15dc6647d86bd1

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe
Size

1.7MB
MD5

28dfcf156ed2ac3a05ad4dc7dffc7b1d
SHA1

80a3c0309c9976d7f4e12fa1d43f589a5e9bb4fc
SHA256

8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035
SHA512

f4c87135c7b92ab76be07de36e4435ab03609243661d3e19c78e7f2faa825b7af0ff937d64063bd903ca0f45618629b1bb41df4c37368eeb477915e9ffe11238
SSDEEP

49152:sZzujF1mUmQW1CTB8/cRAfC30buKZYZRDDE7iQ8FfRJJegqrO4V:Iqbm/QW1CC/cRAs2a4V

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe

Executes dropped EXE 2 IoCs

pid	Process
1500	ShellExperienceHost.exe
4164	tmp2294.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
320	1500	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	tmp2294.tmp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1500	4480	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe	86
PID 4480 wrote to memory of 1500	4480	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe	86
PID 4480 wrote to memory of 4164	4480	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe	89
PID 4480 wrote to memory of 4164	4480	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe	89
PID 4480 wrote to memory of 4164	4480	8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe	89

C:\Users\Admin\AppData\Local\Temp\8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe
"C:\Users\Admin\AppData\Local\Temp\8771bd1aa86852d62474f9f811fad596dd7405c4b31e119c71d77413ce9b4035.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe
  "C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe"
  2⤵
  - Executes dropped EXE
  PID:1500
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1500 -s 364
    3⤵
    - Program crash
    PID:320
- C:\Users\Admin\AppData\Local\Temp\tmp2294.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2294.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 1500 -ip 1500
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe

Filesize
1.6MB

MD5
4743db60c94dc6af7b5443115df4cdcc

SHA1
5c15eb26989b7e3bc04d343ae926fd668636b630

SHA256
4c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59

SHA512
ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShellExperienceHost.exe

Filesize
1.6MB

MD5
4743db60c94dc6af7b5443115df4cdcc

SHA1
5c15eb26989b7e3bc04d343ae926fd668636b630

SHA256
4c920501a1c25235ddbd63825a238ff29c4bd89bd054cd0157ec7f55ed20ce59

SHA512
ea23af8e4310392de4c458bff371081c8a2b8a2b957f3aa6c8a7a245d2875e396dfa04fc2d590edfee13056cc28960cc182c0c3cc03999b62738c201edf04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2294.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2294.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2294.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/4164-159-0x0000000000CF0000-0x0000000000D0A000-memory.dmp

Filesize
104KB

Download
memory/4164-160-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4164-161-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/4480-133-0x00000000002E0000-0x0000000000492000-memory.dmp

Filesize
1.7MB

Download
memory/4480-135-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download