eternity | 4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e

Analysis

max time kernel
133s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2023 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
Size

2.4MB
MD5

0fcabff10f0b3659aecdcb536e685377
SHA1

fd1f72d74a65ea4f71fbe98acf5a6a84398632b8
SHA256

4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e
SHA512

eef91dd06cdb75e84b22d0757af20aeae0a700809d0d217cbb2437566acee101397d93a5617ccbea83896f5c4df79b80306a967de467a320b763b6219c82642a
SSDEEP

24576:FCXYEopBLD+2pIRPAo+V0z68WEZYcsl12gwpU7ng4QLCKnv8hfiF+IoHOWZ2wvxI:SFnPAo+S28BZY3lgg97ngB+KIIoHOWD

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe,http://167.88.170.23/1300.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
4364	InstallUtil.exe
1140	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4812 set thread context of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	4812	WerFault.exe	80

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2752	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4172	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 4812 wrote to memory of 536	4812	4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe	83
PID 536 wrote to memory of 2176	536	InstallUtil.exe	86
PID 536 wrote to memory of 2176	536	InstallUtil.exe	86
PID 536 wrote to memory of 2176	536	InstallUtil.exe	86
PID 2176 wrote to memory of 4544	2176	cmd.exe	88
PID 2176 wrote to memory of 4544	2176	cmd.exe	88
PID 2176 wrote to memory of 4544	2176	cmd.exe	88
PID 2176 wrote to memory of 4172	2176	cmd.exe	89
PID 2176 wrote to memory of 4172	2176	cmd.exe	89
PID 2176 wrote to memory of 4172	2176	cmd.exe	89
PID 2176 wrote to memory of 2752	2176	cmd.exe	90
PID 2176 wrote to memory of 2752	2176	cmd.exe	90
PID 2176 wrote to memory of 2752	2176	cmd.exe	90
PID 2176 wrote to memory of 4364	2176	cmd.exe	91
PID 2176 wrote to memory of 4364	2176	cmd.exe	91
PID 2176 wrote to memory of 4364	2176	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe
"C:\Users\Admin\AppData\Local\Temp\4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4172
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2752
  - - C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
      4⤵
      Executes dropped EXE
      PID:4364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1444
  2⤵
  - Program crash
  PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4812 -ip 4812
1⤵
PID:560

C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
1⤵
- Executes dropped EXE
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/536-146-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4364-155-0x0000000004F40000-0x0000000004F5A000-memory.dmp

Filesize
104KB

Download
memory/4364-154-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/4812-138-0x0000000006F10000-0x0000000006FAC000-memory.dmp

Filesize
624KB

Download
memory/4812-141-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-142-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-143-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-144-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-145-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-140-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-139-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-133-0x0000000000E30000-0x0000000001098000-memory.dmp

Filesize
2.4MB

Download
memory/4812-137-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/4812-136-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4812-135-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4812-134-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download