eternity | e72ba123ab2230b92c80767c89f37989b3e342b6afb61d638c4ae92192cb744f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d883d45ff52cbfde2ed8868c3a50c7.exe
Size

2.1MB
MD5

32d883d45ff52cbfde2ed8868c3a50c7
SHA1

5aa654b6a616ea75370ac559df4421bf67eef265
SHA256

e72ba123ab2230b92c80767c89f37989b3e342b6afb61d638c4ae92192cb744f
SHA512

6df5e54ccfb4e7010add8db922fa5a65ddfe08142d93659830b9e5ea766dce70332834ba940b859921bdc074e2aa9697a50b16bf475ad7716c7c4a460de78d5e
SSDEEP

24576:gsK5rYRnE8sdMmJD9RQSyeRH9xrofiiymJWIg7MQnrhSqnfFQypfV+Dg1DzeHPTQ:hK5rYRnraMmDkMXr6JGhgef6HjP4Ng0

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	32d883d45ff52cbfde2ed8868c3a50c7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Email and Password List.exe

Executes dropped EXE 9 IoCs

pid	Process
736	Email and Password List.exe
3504	Email and Password List.exe
1712	Email and Password List.exe
2928	Email and Password List.exe
756	Email and Password List.exe
3312	Email and Password List.exe
4808	Email and Password List.exe
2804	Email and Password List.exe
1740	Email and Password List.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 736 set thread context of 2928	736	Email and Password List.exe	100
PID 756 set thread context of 3312	756	Email and Password List.exe	111
PID 4808 set thread context of 1740	4808	Email and Password List.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
320	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	32d883d45ff52cbfde2ed8868c3a50c7.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
736	Email and Password List.exe
736	Email and Password List.exe
736	Email and Password List.exe
736	Email and Password List.exe
4808	Email and Password List.exe
4808	Email and Password List.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	Email and Password List.exe
Token: SeDebugPrivilege	3312	Email and Password List.exe
Token: SeDebugPrivilege	4808	Email and Password List.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3136	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	87
PID 2564 wrote to memory of 3136	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	87
PID 2564 wrote to memory of 3136	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	87
PID 2564 wrote to memory of 736	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	88
PID 2564 wrote to memory of 736	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	88
PID 2564 wrote to memory of 736	2564	32d883d45ff52cbfde2ed8868c3a50c7.exe	88
PID 736 wrote to memory of 3504	736	Email and Password List.exe	98
PID 736 wrote to memory of 3504	736	Email and Password List.exe	98
PID 736 wrote to memory of 3504	736	Email and Password List.exe	98
PID 736 wrote to memory of 1712	736	Email and Password List.exe	99
PID 736 wrote to memory of 1712	736	Email and Password List.exe	99
PID 736 wrote to memory of 1712	736	Email and Password List.exe	99
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 736 wrote to memory of 2928	736	Email and Password List.exe	100
PID 2928 wrote to memory of 4348	2928	Email and Password List.exe	102
PID 2928 wrote to memory of 4348	2928	Email and Password List.exe	102
PID 2928 wrote to memory of 4348	2928	Email and Password List.exe	102
PID 4348 wrote to memory of 3776	4348	cmd.exe	104
PID 4348 wrote to memory of 3776	4348	cmd.exe	104
PID 4348 wrote to memory of 3776	4348	cmd.exe	104
PID 4348 wrote to memory of 4996	4348	cmd.exe	105
PID 4348 wrote to memory of 4996	4348	cmd.exe	105
PID 4348 wrote to memory of 4996	4348	cmd.exe	105
PID 4348 wrote to memory of 320	4348	cmd.exe	107
PID 4348 wrote to memory of 320	4348	cmd.exe	107
PID 4348 wrote to memory of 320	4348	cmd.exe	107
PID 4348 wrote to memory of 756	4348	cmd.exe	108
PID 4348 wrote to memory of 756	4348	cmd.exe	108
PID 4348 wrote to memory of 756	4348	cmd.exe	108
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 756 wrote to memory of 3312	756	Email and Password List.exe	111
PID 4808 wrote to memory of 2804	4808	Email and Password List.exe	114
PID 4808 wrote to memory of 2804	4808	Email and Password List.exe	114
PID 4808 wrote to memory of 2804	4808	Email and Password List.exe	114
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115
PID 4808 wrote to memory of 1740	4808	Email and Password List.exe	115

C:\Users\Admin\AppData\Local\Temp\32d883d45ff52cbfde2ed8868c3a50c7.exe
"C:\Users\Admin\AppData\Local\Temp\32d883d45ff52cbfde2ed8868c3a50c7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Email and Password List.txt
  2⤵
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe
  "C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe
    "{path}"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Email and Password List" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:4996
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "Email and Password List" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:320
    - - C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312

C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe
  "{path}"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe
  "{path}"
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Email and Password List.exe.log

Filesize
1KB

MD5
bb3d30439ec1e6435c3eac4df8c1d2e3

SHA1
c901d5946e53ae0a9e2417c8dfaf5786a0037422

SHA256
182adf89e57f80a92db9a5e13105cd59544f37855ca35f98116a0182ddd3b2e6

SHA512
d3547aadf665ce2552b3dfa350b80a5e813aa346870fb2b05a3b998096eebf563143bffe964e0f7243761b79420d1adf02f735779902901d1a41a1f35c557572

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.exe

Filesize
2.1MB

MD5
633b0303b31c70c07ee65e0fcc895259

SHA1
c00053332bc05a57604147419660908d8ac0da1d

SHA256
11536d2bcc70ddd7cb41038ab3db2b38ebbe5ce0c7eb2927f93772d63447c3ce

SHA512
a5673ba02847215d96f67b1b148bebcc0567e48a981efe1b1fed93c074614776c52a9588dee6a6a3e2b55bbd1c3aab6c918e5dd7529d9d358e3a50cecd65767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email and Password List.txt

Filesize
430B

MD5
a5a443178bdaa30182c6e2b9b48df2ce

SHA1
73ec04586fd724f739f7f6fa2712b973415f9088

SHA256
733309d8140475365b046dc173093bc2e9e08e2b73b5f478f4f32ca750ac3add

SHA512
bdc06b923cd54cbd2444a29fca221587a8beb4218d1d408fef33b2468fdbfdbef63cb29382165b2cc20b6863c07bc83fb4c64b2307c31d965489c77b73f67524

Download Submit
memory/736-153-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/736-157-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/736-154-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/736-155-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/736-150-0x0000000000180000-0x000000000039C000-memory.dmp

Filesize
2.1MB

Download
memory/736-152-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/736-151-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/736-156-0x0000000004EE0000-0x0000000004F36000-memory.dmp

Filesize
344KB

Download
memory/2564-133-0x0000000000860000-0x0000000000A86000-memory.dmp

Filesize
2.1MB

Download
memory/2564-137-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2928-164-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/2928-160-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3312-172-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/4808-174-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download