eternity | 4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e

Analysis

max time kernel
116s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.4MB
MD5

0fcabff10f0b3659aecdcb536e685377
SHA1

fd1f72d74a65ea4f71fbe98acf5a6a84398632b8
SHA256

4c0f274e3694fbabe53bf4160108b37353cbe110eab6effadfad8dc1f868d49e
SHA512

eef91dd06cdb75e84b22d0757af20aeae0a700809d0d217cbb2437566acee101397d93a5617ccbea83896f5c4df79b80306a967de467a320b763b6219c82642a
SSDEEP

24576:FCXYEopBLD+2pIRPAo+V0z68WEZYcsl12gwpU7ng4QLCKnv8hfiF+IoHOWZ2wvxI:SFnPAo+S28BZY3lgg97ngB+KIIoHOWD

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://167.88.170.23/swo/sw.exe

http://167.88.170.23/swo/swo.exe,http://167.88.170.23/1300.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
1416	InstallUtil.exe
1876	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 3880	3896	tmp.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2420	3896	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
620	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4392	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe
3896	tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	tmp.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 796	3896	tmp.exe	88
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3896 wrote to memory of 3880	3896	tmp.exe	89
PID 3880 wrote to memory of 2848	3880	InstallUtil.exe	93
PID 3880 wrote to memory of 2848	3880	InstallUtil.exe	93
PID 3880 wrote to memory of 2848	3880	InstallUtil.exe	93
PID 2848 wrote to memory of 392	2848	cmd.exe	95
PID 2848 wrote to memory of 392	2848	cmd.exe	95
PID 2848 wrote to memory of 392	2848	cmd.exe	95
PID 2848 wrote to memory of 4392	2848	cmd.exe	96
PID 2848 wrote to memory of 4392	2848	cmd.exe	96
PID 2848 wrote to memory of 4392	2848	cmd.exe	96
PID 2848 wrote to memory of 620	2848	cmd.exe	97
PID 2848 wrote to memory of 620	2848	cmd.exe	97
PID 2848 wrote to memory of 620	2848	cmd.exe	97
PID 2848 wrote to memory of 1416	2848	cmd.exe	98
PID 2848 wrote to memory of 1416	2848	cmd.exe	98
PID 2848 wrote to memory of 1416	2848	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "InstallUtil" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:620
  - - C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe"
      4⤵
      Executes dropped EXE
      PID:1416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1468
  2⤵
  - Program crash
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3896 -ip 3896
1⤵
PID:1344

C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe
1⤵
- Executes dropped EXE
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
321B

MD5
08027eeee0542c93662aef98d70095e4

SHA1
42402c02bf4763fcd6fb0650fc13386f2eae8f9b

SHA256
1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

SHA512
c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/1416-155-0x0000000002670000-0x000000000268A000-memory.dmp

Filesize
104KB

Download
memory/1416-154-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/3880-146-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/3896-138-0x0000000006360000-0x00000000063FC000-memory.dmp

Filesize
624KB

Download
memory/3896-141-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-142-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-143-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-144-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-145-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-140-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-139-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-133-0x00000000007D0000-0x0000000000A38000-memory.dmp

Filesize
2.4MB

Download
memory/3896-137-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/3896-136-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/3896-135-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/3896-134-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download