eternity | ba0eaa10cf793f2800b12d9698a598090bb3392714412aa6d0f20fb3ca4d12c1

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe
Size

217KB
MD5

4009a5e54d89221d9c9cfd34c3e04201
SHA1

d0f82788f5ba6c602d7d5be43d990acc8d309654
SHA256

4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0
SHA512

54288b3e03c93859d156a85e17c7193d00c046bbfdd6828bd8b3b00cf4045aea00796942084935d7a596268cebf278d7373ff7e9a5c94b2e3fe274cf3685afd7
SSDEEP

6144:v5A67XaDrATRPg4pHgmedrWX6GTBz6mX9QVI:BAe66ZpleUvBz6Lq

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe

Executes dropped EXE 2 IoCs

pid	Process
3732	AppLaunch.exe
4800	tmpEAA2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	tmpEAA2.tmp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3732	2380	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe	85
PID 2380 wrote to memory of 3732	2380	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe	85
PID 2380 wrote to memory of 4800	2380	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe	86
PID 2380 wrote to memory of 4800	2380	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe	86
PID 2380 wrote to memory of 4800	2380	4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe	86

C:\Users\Admin\AppData\Local\Temp\4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe
"C:\Users\Admin\AppData\Local\Temp\4d399db5cf12ae30f1ae198e0133f0ffe515ef0d5df1014d416179062b5028e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe
  "C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe"
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe

Filesize
121KB

MD5
e9c3ec13a9c77b393692d748d8eb83ce

SHA1
729e44ce32bc0709642eb79c46bd8c3e9f91232b

SHA256
3682f6c9357e653150b1b7a96c30347e1abfa368a356db7c65a4c805f4eeb25e

SHA512
f1bdcc7cded610b6821b8a322546864495dbd371ebed3fbe683bc3e3751ed57c6ecfdfe8fe701c77d9e1ee698406cb9d1c7b4e15b079f89a430895343ab51e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe

Filesize
121KB

MD5
e9c3ec13a9c77b393692d748d8eb83ce

SHA1
729e44ce32bc0709642eb79c46bd8c3e9f91232b

SHA256
3682f6c9357e653150b1b7a96c30347e1abfa368a356db7c65a4c805f4eeb25e

SHA512
f1bdcc7cded610b6821b8a322546864495dbd371ebed3fbe683bc3e3751ed57c6ecfdfe8fe701c77d9e1ee698406cb9d1c7b4e15b079f89a430895343ab51e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch.exe

Filesize
121KB

MD5
e9c3ec13a9c77b393692d748d8eb83ce

SHA1
729e44ce32bc0709642eb79c46bd8c3e9f91232b

SHA256
3682f6c9357e653150b1b7a96c30347e1abfa368a356db7c65a4c805f4eeb25e

SHA512
f1bdcc7cded610b6821b8a322546864495dbd371ebed3fbe683bc3e3751ed57c6ecfdfe8fe701c77d9e1ee698406cb9d1c7b4e15b079f89a430895343ab51e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAA2.tmp.exe

Filesize
76KB

MD5
dbb92d6b3c324f8871bc508830b05c14

SHA1
4507d24c7d78a24fe5d92f916ed972709529ced0

SHA256
376294f1dd51cbb9591672655bb2720aeda8dd8004fcc0cb7c333b54ca5746f8

SHA512
d089dc29a1e982b7dd7e50698acdaf138455fb8b3e02b0874bec6734f261bf1a8ea5f10bcc43bb3c557812aeeeeb0410db157bfe341ee67516d6b8c3b758002a

Download Submit
memory/2380-133-0x0000000000AB0000-0x0000000000AEC000-memory.dmp

Filesize
240KB

Download
memory/2380-135-0x00000000015F0000-0x0000000001600000-memory.dmp

Filesize
64KB

Download
memory/4800-158-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download
memory/4800-159-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4800-160-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download