eternity | 75f94abaccf17c5bd5b118c3bb9335371fa5f983b8afef225b935ed15b7c5aaa

Analysis

max time kernel
35s
max time network
38s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 18:00

Target

Slipware.exe
Size

1.3MB
MD5

eab003fd0f22b2a5e44aaf7a0bd37f28
SHA1

a054a333bca9947b79792a75fefc3830b95cf96a
SHA256

75f94abaccf17c5bd5b118c3bb9335371fa5f983b8afef225b935ed15b7c5aaa
SHA512

6f52cd5f08a6da874e7b96febc0ad681dc5a520f67168a117421b13ab967ae3b8c4c159f30a8d08a8b0f3b88ca457b627f1c21fc986d7125439bd2d52c37f830
SSDEEP

12288:eTEYAsROAsrt/uxduo1jB0Y96qII7bqk6Jw7cWo2JsN/0Jfdr39N0l+tlwHUI7:ewT7rC6qIIqk6JwvoAsNsztvG0I

Score

10^/10

eternity stealer

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/932-54-0x0000000000DA0000-0x0000000000EB8000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slipware.exe	Slipware.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slipware.exe	Slipware.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	dcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	932	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	Slipware.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1916	932	Slipware.exe	27
PID 932 wrote to memory of 1916	932	Slipware.exe	27
PID 932 wrote to memory of 1916	932	Slipware.exe	27
PID 932 wrote to memory of 1916	932	Slipware.exe	27
PID 932 wrote to memory of 1672	932	Slipware.exe	28
PID 932 wrote to memory of 1672	932	Slipware.exe	28
PID 932 wrote to memory of 1672	932	Slipware.exe	28

C:\Users\Admin\AppData\Local\Temp\Slipware.exe
"C:\Users\Admin\AppData\Local\Temp\Slipware.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 932 -s 1572
  2⤵
  - Program crash
  PID:1672

C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/932-54-0x0000000000DA0000-0x0000000000EB8000-memory.dmp

Filesize
1.1MB

Download
memory/932-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/932-56-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/932-57-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/932-58-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/932-59-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/932-65-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/932-68-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download