eternity | 0d183f2dc3f42ee5690c887edc06d804c9b4b422024007cde91456709a243543

General

Target

c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe
Size

328KB
MD5

3de35e7b319c69cbc465bb97b8684d22
SHA1

9392dc690cde034ae8c957d793feed0b51c0f353
SHA256

c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f
SHA512

3d6b368c47e88aecaca2f56f59f120543b7212dd3795c230180b1e3fff7ab5dcbbf25915ae943545a78de5d77d5e641f66670e79199c7599531ffd07d52c7be9
SSDEEP

6144:gp5T7GLVfqagP4tid/ijocghwL5jPZgzCrzLZ0Nmj4tDhO14Aue:gb7GLJ9Ad6jokgzC7m64Yue

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
1932	Microsoft.AAD.BrokerPlugin.exe
648	tmp1522.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe
2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe
2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	tmp1522.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1932	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	28
PID 2032 wrote to memory of 1932	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	28
PID 2032 wrote to memory of 1932	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	28
PID 2032 wrote to memory of 1932	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	28
PID 2032 wrote to memory of 648	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	29
PID 2032 wrote to memory of 648	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	29
PID 2032 wrote to memory of 648	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	29
PID 2032 wrote to memory of 648	2032	c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe	29

C:\Users\Admin\AppData\Local\Temp\c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe
"C:\Users\Admin\AppData\Local\Temp\c8f009a16c673aa03ccc98e574f146bb358507684977a5c9645b0fff7ba2c40f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe"
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\tmp1522.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1522.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1522.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1522.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe

Filesize
232KB

MD5
c0f5ba80cf39ba6cd88707fbb81d7153

SHA1
4b3bd8624477dab4836806d21de5982421654bec

SHA256
f3bc209067ba31bac2084524af85e575439c265cb7a42ebc8ef28ccecb7ec85d

SHA512
e3c2cb1c031760d36ea491875e010fbd231f73c273214aa1b27ced0bc4a574df2517ce3fe178acbaca0458de73ba0b371e2174f6a1a854432d9ed79c89159102

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1522.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/648-71-0x0000000001010000-0x000000000102A000-memory.dmp

Filesize
104KB

Download
memory/648-72-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/648-73-0x0000000000DC0000-0x0000000000E00000-memory.dmp

Filesize
256KB

Download
memory/2032-54-0x0000000000220000-0x0000000000278000-memory.dmp

Filesize
352KB

Download
memory/2032-56-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing