eternity | 595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/04/2023, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2294e4d5bee6834cba1fe1a8e6822dd.exe
Size

2.4MB
MD5

e2294e4d5bee6834cba1fe1a8e6822dd
SHA1

15bebe3f370b8f18a200dd642d0d47db896381fa
SHA256

595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b
SHA512

44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26
SSDEEP

49152:EYAyudWEYZUX5w5rtEZmFeaXRN5c/gJZUm020E6p1kj9FBD:judW45wlGZoLRq+X09Y

Score

10^/10

eternity worm

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Deletes itself 1 IoCs

pid	Process
1396	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe
700	e2294e4d5bee6834cba1fe1a8e6822dd.exe
908	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1992	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1220	e2294e4d5bee6834cba1fe1a8e6822dd.exe

Loads dropped DLL 2 IoCs

pid	Process
1396	cmd.exe
1396	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1336 set thread context of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 700 set thread context of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 1724 set thread context of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
996	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1276	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe
700	e2294e4d5bee6834cba1fe1a8e6822dd.exe
700	e2294e4d5bee6834cba1fe1a8e6822dd.exe
700	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe
1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe
Token: SeDebugPrivilege	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe
Token: SeDebugPrivilege	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe
Token: SeDebugPrivilege	908	e2294e4d5bee6834cba1fe1a8e6822dd.exe
Token: SeDebugPrivilege	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1988 wrote to memory of 1856	1988	e2294e4d5bee6834cba1fe1a8e6822dd.exe	28
PID 1856 wrote to memory of 1396	1856	e2294e4d5bee6834cba1fe1a8e6822dd.exe	30
PID 1856 wrote to memory of 1396	1856	e2294e4d5bee6834cba1fe1a8e6822dd.exe	30
PID 1856 wrote to memory of 1396	1856	e2294e4d5bee6834cba1fe1a8e6822dd.exe	30
PID 1856 wrote to memory of 1396	1856	e2294e4d5bee6834cba1fe1a8e6822dd.exe	30
PID 1396 wrote to memory of 1296	1396	cmd.exe	32
PID 1396 wrote to memory of 1296	1396	cmd.exe	32
PID 1396 wrote to memory of 1296	1396	cmd.exe	32
PID 1396 wrote to memory of 1296	1396	cmd.exe	32
PID 1396 wrote to memory of 1276	1396	cmd.exe	33
PID 1396 wrote to memory of 1276	1396	cmd.exe	33
PID 1396 wrote to memory of 1276	1396	cmd.exe	33
PID 1396 wrote to memory of 1276	1396	cmd.exe	33
PID 1396 wrote to memory of 996	1396	cmd.exe	34
PID 1396 wrote to memory of 996	1396	cmd.exe	34
PID 1396 wrote to memory of 996	1396	cmd.exe	34
PID 1396 wrote to memory of 996	1396	cmd.exe	34
PID 1396 wrote to memory of 1336	1396	cmd.exe	35
PID 1396 wrote to memory of 1336	1396	cmd.exe	35
PID 1396 wrote to memory of 1336	1396	cmd.exe	35
PID 1396 wrote to memory of 1336	1396	cmd.exe	35
PID 1804 wrote to memory of 700	1804	taskeng.exe	37
PID 1804 wrote to memory of 700	1804	taskeng.exe	37
PID 1804 wrote to memory of 700	1804	taskeng.exe	37
PID 1804 wrote to memory of 700	1804	taskeng.exe	37
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 1336 wrote to memory of 908	1336	e2294e4d5bee6834cba1fe1a8e6822dd.exe	38
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 700 wrote to memory of 1992	700	e2294e4d5bee6834cba1fe1a8e6822dd.exe	39
PID 1804 wrote to memory of 1724	1804	taskeng.exe	40
PID 1804 wrote to memory of 1724	1804	taskeng.exe	40
PID 1804 wrote to memory of 1724	1804	taskeng.exe	40
PID 1804 wrote to memory of 1724	1804	taskeng.exe	40
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41
PID 1724 wrote to memory of 1220	1724	e2294e4d5bee6834cba1fe1a8e6822dd.exe	41

C:\Users\Admin\AppData\Local\Temp\e2294e4d5bee6834cba1fe1a8e6822dd.exe
"C:\Users\Admin\AppData\Local\Temp\e2294e4d5bee6834cba1fe1a8e6822dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\e2294e4d5bee6834cba1fe1a8e6822dd.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "e2294e4d5bee6834cba1fe1a8e6822dd" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\e2294e4d5bee6834cba1fe1a8e6822dd.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe"
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1276
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "e2294e4d5bee6834cba1fe1a8e6822dd" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:996
  - - C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908

C:\Windows\system32\taskeng.exe
taskeng.exe {62F23F50-F474-4EF5-B563-8D608E38CFD5} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
  C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1992
- C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
  C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
\Users\Admin\AppData\Local\ServiceHub\e2294e4d5bee6834cba1fe1a8e6822dd.exe

Filesize
2.4MB

MD5
e2294e4d5bee6834cba1fe1a8e6822dd

SHA1
15bebe3f370b8f18a200dd642d0d47db896381fa

SHA256
595556574c59022b9837a133c53c0a229eed297a9c338b70e8acbd99abcfa51b

SHA512
44e520bf02422277f7a7a75835e5f975261fedfef60a93eab1abfa19582a5605af619360f73f383fd32c7ead09510182cec0f86e388a615f8d8a75541db20e26

Download Submit
memory/700-79-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/700-93-0x0000000006D30000-0x0000000006E82000-memory.dmp

Filesize
1.3MB

Download
memory/700-80-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/908-92-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/908-85-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/908-105-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/908-91-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/908-89-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1336-76-0x0000000000BA0000-0x0000000000E00000-memory.dmp

Filesize
2.4MB

Download
memory/1336-77-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1856-63-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-61-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-67-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-65-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-60-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-62-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1856-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1856-69-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/1988-59-0x0000000006320000-0x0000000006472000-memory.dmp

Filesize
1.3MB

Download
memory/1988-54-0x0000000001370000-0x00000000015D0000-memory.dmp

Filesize
2.4MB

Download
memory/1988-57-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1988-58-0x0000000005CE0000-0x0000000005E86000-memory.dmp

Filesize
1.6MB

Download
memory/1988-56-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1988-55-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download