eternity | 8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c

General

Target

8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Size

1.4MB
MD5

88ad6b11165e045a4b03a6eec6546c31
SHA1

b16a4d87ad03557d72b162a26f66bfdc43c855c6
SHA256

8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c
SHA512

e4e34af5fe2cd0fd1a4d969c4b86ccb9763cc97931da1d73171c293eb888b6d2e45022667a1482e4a1625b117e8b579ac47d6398f362f9e4066f1841a57551aa
SSDEEP

24576:iyMtE3yw022MWRrGWOK+0QLTW/NdJrrGWU9G5EvsJ/1nWoBRFmpPvwuM8+re:U23ywWTr+k/NdJeaEvO/HBPmQuMBre

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://162.244.93.4/~rubin/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
2536	vbc.exe
4792	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
884	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
224	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Token: 33	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
Token: SeIncBasePriorityPrivilege	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 2020 wrote to memory of 4456	2020	8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe	70
PID 4456 wrote to memory of 1096	4456	vbc.exe	71
PID 4456 wrote to memory of 1096	4456	vbc.exe	71
PID 4456 wrote to memory of 1096	4456	vbc.exe	71
PID 1096 wrote to memory of 220	1096	cmd.exe	73
PID 1096 wrote to memory of 220	1096	cmd.exe	73
PID 1096 wrote to memory of 220	1096	cmd.exe	73
PID 1096 wrote to memory of 224	1096	cmd.exe	74
PID 1096 wrote to memory of 224	1096	cmd.exe	74
PID 1096 wrote to memory of 224	1096	cmd.exe	74
PID 1096 wrote to memory of 884	1096	cmd.exe	75
PID 1096 wrote to memory of 884	1096	cmd.exe	75
PID 1096 wrote to memory of 884	1096	cmd.exe	75
PID 1096 wrote to memory of 2536	1096	cmd.exe	76
PID 1096 wrote to memory of 2536	1096	cmd.exe	76
PID 1096 wrote to memory of 2536	1096	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe
"C:\Users\Admin\AppData\Local\Temp\8208c61fb8ae7da93969954ea176ed3730310c2c99d1199094a2cffa491cb23c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "vbc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:220
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:224
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "vbc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:884
  - - C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe"
      4⤵
      Executes dropped EXE
      PID:2536

C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe
1⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\vbc.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
memory/2020-120-0x0000000000EA0000-0x0000000000FFE000-memory.dmp

Filesize
1.4MB

Download
memory/2020-121-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2020-122-0x0000000005C40000-0x000000000613E000-memory.dmp

Filesize
5.0MB

Download
memory/2020-123-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/2020-127-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4456-124-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4456-128-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4456-138-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads