eternity | d3c148d3aeded0cf8bde6555680e89f4680574e621f346e110ecb6052deda463

General

Target

22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe
Size

190KB
MD5

298bf0edf7ba8ce2d37ed7b4d4c2a47b
SHA1

a5b89650085847be9128555ca0224887d1438a6f
SHA256

22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc
SHA512

0d99bbfd8cff0a68e9cbe29da36f95a4852f0ba59ffe0a00d0c6a5656742f5696e21c0f4cca96ea894e17a99a7fc5ffd0885ceba466b1d99879171b9cdccb99f
SSDEEP

3072:d0v9WfBTE29hoBbqyLnQfe5mx45tZgmig6CLw/6zjRkr3IpwHNnr+IVAJ:Sv9CTECo5qm+Q4sipCLw/6zjRkr3Uwt6

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
1048	cmm.exe
532	tmp7CE2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe
2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	tmp7CE2.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1048	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	28
PID 2032 wrote to memory of 1048	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	28
PID 2032 wrote to memory of 1048	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	28
PID 2032 wrote to memory of 1048	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	28
PID 2032 wrote to memory of 532	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	29
PID 2032 wrote to memory of 532	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	29
PID 2032 wrote to memory of 532	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	29
PID 2032 wrote to memory of 532	2032	22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe	29

C:\Users\Admin\AppData\Local\Temp\22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe
"C:\Users\Admin\AppData\Local\Temp\22e661a484f52addd2e05986c0604073624785bedc10c082c3d0510a20bcafdc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\cmm.exe
  "C:\Users\Admin\AppData\Local\Temp\cmm.exe"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\tmp7CE2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7CE2.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmm.exe

Filesize
95KB

MD5
115f715652b7cb3280845e6ced43affe

SHA1
95a021449e589ff9b1bec2a06277daebc2ea75a4

SHA256
76a6b7da6cf1644ed25fbfa3464ec010003e27b011c8a37dc03cabdcd9aeccd7

SHA512
881833e848dd8fbc461eee1c2cd2f287127d41905b7c84419b27c1697b69e914bf3e5100816bb3cbb7a7e76ea1bc0838646798f431cf9e74f88ab2e379a19219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CE2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CE2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\cmm.exe

Filesize
95KB

MD5
115f715652b7cb3280845e6ced43affe

SHA1
95a021449e589ff9b1bec2a06277daebc2ea75a4

SHA256
76a6b7da6cf1644ed25fbfa3464ec010003e27b011c8a37dc03cabdcd9aeccd7

SHA512
881833e848dd8fbc461eee1c2cd2f287127d41905b7c84419b27c1697b69e914bf3e5100816bb3cbb7a7e76ea1bc0838646798f431cf9e74f88ab2e379a19219

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7CE2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/532-69-0x00000000008A0000-0x00000000008BA000-memory.dmp

Filesize
104KB

Download
memory/532-70-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/532-71-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/2032-54-0x0000000000B00000-0x0000000000B34000-memory.dmp

Filesize
208KB

Download
memory/2032-56-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing