eternity | 8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c

Analysis

max time kernel
293s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08-08-2023 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Size

1.4MB
MD5

88ad6b11165e045a4b03a6eec6546c31
SHA1

b16a4d87ad03557d72b162a26f66bfdc43c855c6
SHA256

8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c
SHA512

e4e34af5fe2cd0fd1a4d969c4b86ccb9763cc97931da1d73171c293eb888b6d2e45022667a1482e4a1625b117e8b579ac47d6398f362f9e4066f1841a57551aa
SSDEEP

24576:iyMtE3yw022MWRrGWOK+0QLTW/NdJrrGWU9G5EvsJ/1nWoBRFmpPvwuM8+re:U23ywWTr+k/NdJeaEvO/HBPmQuMBre

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://162.244.93.4/~rubin/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 6 IoCs

pid	Process
2596	vbc.exe
2812	vbc.exe
2468	vbc.exe
2748	vbc.exe
240	vbc.exe
2600	vbc.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	cmd.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3032	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2016	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Token: 33	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Token: SeIncBasePriorityPrivilege	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 1700 wrote to memory of 2316	1700	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	28
PID 2316 wrote to memory of 2160	2316	vbc.exe	29
PID 2316 wrote to memory of 2160	2316	vbc.exe	29
PID 2316 wrote to memory of 2160	2316	vbc.exe	29
PID 2316 wrote to memory of 2160	2316	vbc.exe	29
PID 2160 wrote to memory of 2492	2160	cmd.exe	31
PID 2160 wrote to memory of 2492	2160	cmd.exe	31
PID 2160 wrote to memory of 2492	2160	cmd.exe	31
PID 2160 wrote to memory of 2492	2160	cmd.exe	31
PID 2160 wrote to memory of 2016	2160	cmd.exe	32
PID 2160 wrote to memory of 2016	2160	cmd.exe	32
PID 2160 wrote to memory of 2016	2160	cmd.exe	32
PID 2160 wrote to memory of 2016	2160	cmd.exe	32
PID 2160 wrote to memory of 3032	2160	cmd.exe	33
PID 2160 wrote to memory of 3032	2160	cmd.exe	33
PID 2160 wrote to memory of 3032	2160	cmd.exe	33
PID 2160 wrote to memory of 3032	2160	cmd.exe	33
PID 2160 wrote to memory of 2596	2160	cmd.exe	34
PID 2160 wrote to memory of 2596	2160	cmd.exe	34
PID 2160 wrote to memory of 2596	2160	cmd.exe	34
PID 2160 wrote to memory of 2596	2160	cmd.exe	34
PID 2704 wrote to memory of 2812	2704	taskeng.exe	39
PID 2704 wrote to memory of 2812	2704	taskeng.exe	39
PID 2704 wrote to memory of 2812	2704	taskeng.exe	39
PID 2704 wrote to memory of 2812	2704	taskeng.exe	39
PID 2704 wrote to memory of 2468	2704	taskeng.exe	41
PID 2704 wrote to memory of 2468	2704	taskeng.exe	41
PID 2704 wrote to memory of 2468	2704	taskeng.exe	41
PID 2704 wrote to memory of 2468	2704	taskeng.exe	41
PID 2704 wrote to memory of 2748	2704	taskeng.exe	43
PID 2704 wrote to memory of 2748	2704	taskeng.exe	43
PID 2704 wrote to memory of 2748	2704	taskeng.exe	43
PID 2704 wrote to memory of 2748	2704	taskeng.exe	43
PID 2704 wrote to memory of 240	2704	taskeng.exe	45
PID 2704 wrote to memory of 240	2704	taskeng.exe	45
PID 2704 wrote to memory of 240	2704	taskeng.exe	45
PID 2704 wrote to memory of 240	2704	taskeng.exe	45
PID 2704 wrote to memory of 2600	2704	taskeng.exe	47
PID 2704 wrote to memory of 2600	2704	taskeng.exe	47
PID 2704 wrote to memory of 2600	2704	taskeng.exe	47
PID 2704 wrote to memory of 2600	2704	taskeng.exe	47

C:\Users\Admin\AppData\Local\Temp\8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
"C:\Users\Admin\AppData\Local\Temp\8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "vbc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "vbc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3032
  - - C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe"
      4⤵
      Executes dropped EXE
      PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {D10275B2-4652-45B2-B00F-7F9B9B8B4384} S-1-5-21-4219371764-2579186923-3390623117-1000:NVACMPYA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
memory/1700-54-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-55-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/1700-53-0x0000000000170000-0x00000000002CE000-memory.dmp

Filesize
1.4MB

Download
memory/1700-65-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2316-60-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-72-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-69-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/2316-68-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-66-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-63-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-58-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-57-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2316-56-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads