eternity | 0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

Analysis

max time kernel
165s
max time network
254s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
Size

2.1MB
MD5

2473e74dc2fdc9d391c9a0b08e79301e
SHA1

156f87d038c811c8937d6b78436f25300a555e26
SHA256

0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c
SHA512

498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa
SSDEEP

49152://LRs6CE3jLbO9Rs6CE3jLbOGHazvh+dHK0SPyZ9C0lpnQwXiFa6Oyy42://LRs6CE3jLbO9Rs6CE3jLbOoazvh+5n

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Attributes

payload_urls
http://162.244.93.4/~rubin/swo.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 4 IoCs

pid	Process
5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
3840	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
1652	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
2776	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4804 set thread context of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 5000 set thread context of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4744	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3924	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 4804 wrote to memory of 2164	4804	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	70
PID 2164 wrote to memory of 3640	2164	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	71
PID 2164 wrote to memory of 3640	2164	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	71
PID 2164 wrote to memory of 3640	2164	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	71
PID 3640 wrote to memory of 1660	3640	cmd.exe	73
PID 3640 wrote to memory of 1660	3640	cmd.exe	73
PID 3640 wrote to memory of 1660	3640	cmd.exe	73
PID 3640 wrote to memory of 3924	3640	cmd.exe	74
PID 3640 wrote to memory of 3924	3640	cmd.exe	74
PID 3640 wrote to memory of 3924	3640	cmd.exe	74
PID 3640 wrote to memory of 4744	3640	cmd.exe	75
PID 3640 wrote to memory of 4744	3640	cmd.exe	75
PID 3640 wrote to memory of 4744	3640	cmd.exe	75
PID 3640 wrote to memory of 5000	3640	cmd.exe	76
PID 3640 wrote to memory of 5000	3640	cmd.exe	76
PID 3640 wrote to memory of 5000	3640	cmd.exe	76
PID 5000 wrote to memory of 3840	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	78
PID 5000 wrote to memory of 3840	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	78
PID 5000 wrote to memory of 3840	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	78
PID 5000 wrote to memory of 1652	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	79
PID 5000 wrote to memory of 1652	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	79
PID 5000 wrote to memory of 1652	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	79
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80
PID 5000 wrote to memory of 2776	5000	0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe	80

C:\Users\Admin\AppData\Local\Temp\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
"C:\Users\Admin\AppData\Local\Temp\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4744
  - - C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:3840
    - - C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe.log

Filesize
1KB

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Filesize
2.1MB

MD5
2473e74dc2fdc9d391c9a0b08e79301e

SHA1
156f87d038c811c8937d6b78436f25300a555e26

SHA256
0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

SHA512
498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Filesize
2.1MB

MD5
2473e74dc2fdc9d391c9a0b08e79301e

SHA1
156f87d038c811c8937d6b78436f25300a555e26

SHA256
0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

SHA512
498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Filesize
2.1MB

MD5
2473e74dc2fdc9d391c9a0b08e79301e

SHA1
156f87d038c811c8937d6b78436f25300a555e26

SHA256
0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

SHA512
498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Filesize
2.1MB

MD5
2473e74dc2fdc9d391c9a0b08e79301e

SHA1
156f87d038c811c8937d6b78436f25300a555e26

SHA256
0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

SHA512
498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c.exe

Filesize
2.1MB

MD5
2473e74dc2fdc9d391c9a0b08e79301e

SHA1
156f87d038c811c8937d6b78436f25300a555e26

SHA256
0ae10937cec301f6d6383396ab1261e5c0726d9b4087511dfc21440fcb58d15c

SHA512
498c85d87734ad07b8a3d37f7911d31206c4dfd99e983c8d86410cc14fbaae4ebd523032d1c025407dc9ffcc7cbbeef348f20e58fa63aeb34ed54073f52788aa

Download Submit
memory/2164-133-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/2164-140-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-135-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-156-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-155-0x00000000059B0000-0x0000000005A2A000-memory.dmp

Filesize
488KB

Download
memory/2776-154-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2776-153-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/4804-131-0x0000000006CF0000-0x0000000006E9A000-memory.dmp

Filesize
1.7MB

Download
memory/4804-130-0x0000000002AF0000-0x0000000002B04000-memory.dmp

Filesize
80KB

Download
memory/4804-138-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/4804-123-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/4804-125-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4804-127-0x0000000005300000-0x0000000005356000-memory.dmp

Filesize
344KB

Download
memory/4804-132-0x0000000006EA0000-0x0000000006FFA000-memory.dmp

Filesize
1.4MB

Download
memory/4804-126-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/4804-122-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/4804-128-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/4804-129-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4804-120-0x00000000005E0000-0x0000000000804000-memory.dmp

Filesize
2.1MB

Download
memory/4804-124-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/4804-121-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/5000-152-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/5000-147-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/5000-146-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/5000-145-0x0000000005CC0000-0x0000000005CD0000-memory.dmp

Filesize
64KB

Download
memory/5000-144-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download