eternity | 084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

Analysis

max time kernel
110s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

405f5eb6453f66e478a5f4c168616bfe.exe
Size

1.3MB
MD5

405f5eb6453f66e478a5f4c168616bfe
SHA1

c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78
SHA256

084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb
SHA512

258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702
SSDEEP

24576:zOAkH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxY:atHZ5MMpoJOp+MIVai7Tq24GjdGS

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe,http://167.88.170.23/1300.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Deletes itself 1 IoCs

pid	Process
1588	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1764	405f5eb6453f66e478a5f4c168616bfe.exe
568	405f5eb6453f66e478a5f4c168616bfe.exe
1088	405f5eb6453f66e478a5f4c168616bfe.exe

Loads dropped DLL 1 IoCs

pid	Process
1588	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1680	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
468	PING.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1588	1568	405f5eb6453f66e478a5f4c168616bfe.exe	28
PID 1568 wrote to memory of 1588	1568	405f5eb6453f66e478a5f4c168616bfe.exe	28
PID 1568 wrote to memory of 1588	1568	405f5eb6453f66e478a5f4c168616bfe.exe	28
PID 1568 wrote to memory of 1588	1568	405f5eb6453f66e478a5f4c168616bfe.exe	28
PID 1588 wrote to memory of 520	1588	cmd.exe	30
PID 1588 wrote to memory of 520	1588	cmd.exe	30
PID 1588 wrote to memory of 520	1588	cmd.exe	30
PID 1588 wrote to memory of 520	1588	cmd.exe	30
PID 1588 wrote to memory of 468	1588	cmd.exe	31
PID 1588 wrote to memory of 468	1588	cmd.exe	31
PID 1588 wrote to memory of 468	1588	cmd.exe	31
PID 1588 wrote to memory of 468	1588	cmd.exe	31
PID 1588 wrote to memory of 1680	1588	cmd.exe	32
PID 1588 wrote to memory of 1680	1588	cmd.exe	32
PID 1588 wrote to memory of 1680	1588	cmd.exe	32
PID 1588 wrote to memory of 1680	1588	cmd.exe	32
PID 1588 wrote to memory of 1764	1588	cmd.exe	33
PID 1588 wrote to memory of 1764	1588	cmd.exe	33
PID 1588 wrote to memory of 1764	1588	cmd.exe	33
PID 1588 wrote to memory of 1764	1588	cmd.exe	33
PID 1824 wrote to memory of 568	1824	taskeng.exe	35
PID 1824 wrote to memory of 568	1824	taskeng.exe	35
PID 1824 wrote to memory of 568	1824	taskeng.exe	35
PID 1824 wrote to memory of 568	1824	taskeng.exe	35
PID 1824 wrote to memory of 1088	1824	taskeng.exe	36
PID 1824 wrote to memory of 1088	1824	taskeng.exe	36
PID 1824 wrote to memory of 1088	1824	taskeng.exe	36
PID 1824 wrote to memory of 1088	1824	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\405f5eb6453f66e478a5f4c168616bfe.exe
"C:\Users\Admin\AppData\Local\Temp\405f5eb6453f66e478a5f4c168616bfe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "405f5eb6453f66e478a5f4c168616bfe" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\405f5eb6453f66e478a5f4c168616bfe.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:520
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "405f5eb6453f66e478a5f4c168616bfe" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1680
- - C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe"
    3⤵
    - Executes dropped EXE
    PID:1764

C:\Windows\system32\taskeng.exe
taskeng.exe {EDAA5DBD-DBB8-4FBE-9593-A14E870E824F} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe
  C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe
  C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe
  2⤵
  - Executes dropped EXE
  PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe

Filesize
1.3MB

MD5
405f5eb6453f66e478a5f4c168616bfe

SHA1
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78

SHA256
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

SHA512
258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe

Filesize
1.3MB

MD5
405f5eb6453f66e478a5f4c168616bfe

SHA1
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78

SHA256
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

SHA512
258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe

Filesize
1.3MB

MD5
405f5eb6453f66e478a5f4c168616bfe

SHA1
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78

SHA256
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

SHA512
258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe

Filesize
1.3MB

MD5
405f5eb6453f66e478a5f4c168616bfe

SHA1
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78

SHA256
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

SHA512
258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702

Download Submit
\Users\Admin\AppData\Local\ServiceHub\405f5eb6453f66e478a5f4c168616bfe.exe

Filesize
1.3MB

MD5
405f5eb6453f66e478a5f4c168616bfe

SHA1
c7f6f50f4d2a7fb6c4e07cad0781607ef45acb78

SHA256
084e0cc2f7f21c82d8591bff89bf0d19e54fa3a6f9d8f4c78e2ff0cdc14ce4eb

SHA512
258bc3d41ddcffe8ccf82ac610b48219deeac5df325435fb68ecaaeceecdd2c2707ac76ec4afc58d52f5d332569b49c04ce47af16093b70abddc6091e2c78702

Download Submit
memory/568-63-0x0000000000BB0000-0x0000000000D02000-memory.dmp

Filesize
1.3MB

Download
memory/1088-65-0x0000000001370000-0x00000000014C2000-memory.dmp

Filesize
1.3MB

Download
memory/1568-54-0x0000000000BA0000-0x0000000000CF2000-memory.dmp

Filesize
1.3MB

Download
memory/1764-60-0x0000000000BB0000-0x0000000000D02000-memory.dmp

Filesize
1.3MB

Download
memory/1764-61-0x00000000021E0000-0x000000000225A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads