eternity | 65bd5068031a515b1ab783dffdfda01504d9b94eeb6aae4938bf7665ef472748

General

Target

file.exe
Size

1.5MB
MD5

8e927abc6ac43a6637c02ecbbef15f93
SHA1

1924b436f12da17695e5367082c3ede9e3003dea
SHA256

65bd5068031a515b1ab783dffdfda01504d9b94eeb6aae4938bf7665ef472748
SHA512

dff478fc8fdba762fe85dd5b35943de5783db3df460bda5f1b239ff58469e36a4162344761d866b980920bc10cc28fce07c5d3ff8e3fcdca4f4be57bc5542f87
SSDEEP

49152:pwS3we1zgOPav416L6+0Ih+iwrO19hAeBnVmoEuGFiPYDg5jX5G:pwS3we1zlPav416LdlBVejFo75jXM

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://191.101.2.199/Worm.exe

http://191.101.2.199/Miner.exe, http://191.101.2.199/Clipper.exe, http://191.101.2.199/STE.exe, http://191.101.2.199/Rat.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1644	Miner.exe

Loads dropped DLL 6 IoCs

pid	Process
1900	file.exe
1644	Miner.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe
1972	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 1900	2000	file.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
884	2000	WerFault.exe	26
1972	1644	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	file.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 1900	2000	file.exe	27
PID 2000 wrote to memory of 884	2000	file.exe	28
PID 2000 wrote to memory of 884	2000	file.exe	28
PID 2000 wrote to memory of 884	2000	file.exe	28
PID 2000 wrote to memory of 884	2000	file.exe	28
PID 1900 wrote to memory of 1644	1900	file.exe	29
PID 1900 wrote to memory of 1644	1900	file.exe	29
PID 1900 wrote to memory of 1644	1900	file.exe	29
PID 1900 wrote to memory of 1644	1900	file.exe	29
PID 1644 wrote to memory of 1308	1644	Miner.exe	30
PID 1644 wrote to memory of 1308	1644	Miner.exe	30
PID 1644 wrote to memory of 1308	1644	Miner.exe	30
PID 1644 wrote to memory of 1308	1644	Miner.exe	30
PID 1644 wrote to memory of 1972	1644	Miner.exe	31
PID 1644 wrote to memory of 1972	1644	Miner.exe	31
PID 1644 wrote to memory of 1972	1644	Miner.exe	31
PID 1644 wrote to memory of 1972	1644	Miner.exe	31

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Miner.exe
    "C:\Users\Admin\AppData\Local\Temp\Miner.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\Miner.exe
      "C:\Users\Admin\AppData\Local\Temp\Miner.exe"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 56
      4⤵
      Loads dropped DLL
      Program crash
      PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 56
  2⤵
  - Program crash
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
53.3MB

MD5
948a31b60432a4d331885d1583bc47a5

SHA1
24ef6b448ae3b248ff2f56532cea91f0ea4e485f

SHA256
89dd05b47e249d9eff407e5b23b7b0928cc38635e2669dad5be3175106ba8dcd

SHA512
bebd0382a318ab8b1979746d7703a836bb0739cba28a88b075b32a27216b603e29bd34646dc82ca608fba686d397121b996b1299a32decaa716d88da51d6e433

Download Submit
memory/1900-60-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-64-0x0000000005000000-0x0000000005154000-memory.dmp

Filesize
1.3MB

Download
memory/1900-65-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-66-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1900-67-0x0000000005170000-0x00000000051B0000-memory.dmp

Filesize
256KB

Download
memory/1900-63-0x00000000051B0000-0x0000000005306000-memory.dmp

Filesize
1.3MB

Download
memory/1900-62-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-54-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-58-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-57-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-56-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download
memory/1900-55-0x0000000000400000-0x0000000000566000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing