eternity | e03db0bfaa8bcf2d06c6ee55f567ccdf9036047c0f147028e2f8798db8b4f674

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe
Size

2.3MB
MD5

1273da64dc656db522fcaffb819502f2
SHA1

16163234aeeddc9cc66abe4a142d83f8710373de
SHA256

ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87
SHA512

67f0b03c01d36402e931b812a75ebaccf9c86492f1164908df423324bd45a368c6566b24dbeabf6bea8b4aa0c8827f9a7878d3bbee848157d0ece4ab9bf7b63f
SSDEEP

49152:uLF6XruXkTRNbxhv5azk9Yg7HURNz3YC095D0+bs0VQQynYIYG7GFNSsYCWqO:Q8u0TRN0RhxQst7nsFNSsYCWqO

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	tmp940E.tmp.exe

Executes dropped EXE 9 IoCs

pid	Process
3668	WinLines.exe
4028	tmp940E.tmp.exe
380	tmp940E.tmp.exe
748	tmp940E.tmp.exe
4052	tmp940E.tmp.exe
3876	tmp940E.tmp.exe
3764	tmp940E.tmp.exe
4196	tmp940E.tmp.exe
3064	tmp940E.tmp.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 380	4028	tmp940E.tmp.exe	100
PID 748 set thread context of 3876	748	tmp940E.tmp.exe	109
PID 3764 set thread context of 4196	3764	tmp940E.tmp.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3460	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1396	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	tmp940E.tmp.exe
748	tmp940E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	tmp940E.tmp.exe
Token: SeDebugPrivilege	3876	tmp940E.tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3668	WinLines.exe
3668	WinLines.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 3668	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	87
PID 748 wrote to memory of 3668	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	87
PID 748 wrote to memory of 3668	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	87
PID 748 wrote to memory of 4028	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	89
PID 748 wrote to memory of 4028	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	89
PID 748 wrote to memory of 4028	748	ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe	89
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 4028 wrote to memory of 380	4028	tmp940E.tmp.exe	100
PID 380 wrote to memory of 3240	380	tmp940E.tmp.exe	102
PID 380 wrote to memory of 3240	380	tmp940E.tmp.exe	102
PID 380 wrote to memory of 3240	380	tmp940E.tmp.exe	102
PID 3240 wrote to memory of 1668	3240	cmd.exe	104
PID 3240 wrote to memory of 1668	3240	cmd.exe	104
PID 3240 wrote to memory of 1668	3240	cmd.exe	104
PID 3240 wrote to memory of 1396	3240	cmd.exe	105
PID 3240 wrote to memory of 1396	3240	cmd.exe	105
PID 3240 wrote to memory of 1396	3240	cmd.exe	105
PID 3240 wrote to memory of 3460	3240	cmd.exe	106
PID 3240 wrote to memory of 3460	3240	cmd.exe	106
PID 3240 wrote to memory of 3460	3240	cmd.exe	106
PID 3240 wrote to memory of 748	3240	cmd.exe	107
PID 3240 wrote to memory of 748	3240	cmd.exe	107
PID 3240 wrote to memory of 748	3240	cmd.exe	107
PID 748 wrote to memory of 4052	748	tmp940E.tmp.exe	108
PID 748 wrote to memory of 4052	748	tmp940E.tmp.exe	108
PID 748 wrote to memory of 4052	748	tmp940E.tmp.exe	108
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 748 wrote to memory of 3876	748	tmp940E.tmp.exe	109
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112
PID 3764 wrote to memory of 4196	3764	tmp940E.tmp.exe	112

C:\Users\Admin\AppData\Local\Temp\ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe
"C:\Users\Admin\AppData\Local\Temp\ca89ba2aabb1cbc5e063fc8064974dfa98bdbccdd97d47b02f2b1718808e7f87.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\WinLines.exe
  "C:\Users\Admin\AppData\Local\Temp\WinLines.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe
    "{path}"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "tmp940E.tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1396
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "tmp940E.tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
      - C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:4052
      - C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876

C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
  "{path}"
  2⤵
  - Executes dropped EXE
  PID:4196

C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe
1⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp940E.tmp.exe.log

Filesize
1KB

MD5
bb3d30439ec1e6435c3eac4df8c1d2e3

SHA1
c901d5946e53ae0a9e2417c8dfaf5786a0037422

SHA256
182adf89e57f80a92db9a5e13105cd59544f37855ca35f98116a0182ddd3b2e6

SHA512
d3547aadf665ce2552b3dfa350b80a5e813aa346870fb2b05a3b998096eebf563143bffe964e0f7243761b79420d1adf02f735779902901d1a41a1f35c557572

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinLines.exe

Filesize
212KB

MD5
8b2a652e1d79b3e7bab6decdc9a9e6d6

SHA1
423dcd79198aec4e24e2e39fc1d6ff7279404576

SHA256
56a5028a5adf0e29e14792e46191e084ca63dabfa77923b0d12705eeab349b5d

SHA512
7703b99c43f95245fcf696344baf85972b0d494cdf31960829ff89e86f27aa50d12770576e5376b2df280a5a6ba2c854e9fe5366e9feaf468dfdc247678e944c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinLines.exe

Filesize
212KB

MD5
8b2a652e1d79b3e7bab6decdc9a9e6d6

SHA1
423dcd79198aec4e24e2e39fc1d6ff7279404576

SHA256
56a5028a5adf0e29e14792e46191e084ca63dabfa77923b0d12705eeab349b5d

SHA512
7703b99c43f95245fcf696344baf85972b0d494cdf31960829ff89e86f27aa50d12770576e5376b2df280a5a6ba2c854e9fe5366e9feaf468dfdc247678e944c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinLines.exe

Filesize
212KB

MD5
8b2a652e1d79b3e7bab6decdc9a9e6d6

SHA1
423dcd79198aec4e24e2e39fc1d6ff7279404576

SHA256
56a5028a5adf0e29e14792e46191e084ca63dabfa77923b0d12705eeab349b5d

SHA512
7703b99c43f95245fcf696344baf85972b0d494cdf31960829ff89e86f27aa50d12770576e5376b2df280a5a6ba2c854e9fe5366e9feaf468dfdc247678e944c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp940E.tmp.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
memory/380-166-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/380-170-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/748-135-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/748-176-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/748-177-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/748-133-0x0000000000CA0000-0x0000000000EF6000-memory.dmp

Filesize
2.3MB

Download
memory/3064-189-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3764-185-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3764-184-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3876-181-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3876-182-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4028-161-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/4028-160-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-159-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4028-162-0x0000000002EA0000-0x0000000002EAA000-memory.dmp

Filesize
40KB

Download
memory/4028-163-0x0000000005460000-0x00000000054B6000-memory.dmp

Filesize
344KB

Download
memory/4028-158-0x0000000000870000-0x0000000000A8C000-memory.dmp

Filesize
2.1MB

Download
memory/4028-164-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4028-165-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download