eternity | 88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe
Size

1.1MB
MD5

5a3ddf0c0b07ce709c802ee3ee000438
SHA1

c5d128fab542ba17c92db8481215167f16b2a606
SHA256

88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb
SHA512

6e1b6e6fcee9aea6cd91cfded327ab284195a742a8fe39636d830de44c4d51b15b522ffb25e496a0fdca0ab1a13fb6f44cdb43fc71f935559250537fa28af996
SSDEEP

24576:DwT7rC6qoKmtTUhxD+iecTryJWlnjVcT:KrC6qoKDN3r1jV

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/3764-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe

Executes dropped EXE 1 IoCs

pid	Process
1380	dcd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 1380	3764	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe	82
PID 3764 wrote to memory of 1380	3764	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe	82
PID 3764 wrote to memory of 1380	3764	88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe	82

C:\Users\Admin\AppData\Local\Temp\88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe
"C:\Users\Admin\AppData\Local\Temp\88b9188a51717b40cd1921bd8d760dddccc43ab7c3b6015b3091faf1eaf783eb.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/3764-3-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3764-0-0x0000000000AC0000-0x0000000000BC2000-memory.dmp

Filesize
1.0MB

Download
memory/3764-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3764-6-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/3764-5-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3764-7-0x0000000002D80000-0x0000000002DBE000-memory.dmp

Filesize
248KB

Download
memory/3764-8-0x000000001B800000-0x000000001B810000-memory.dmp

Filesize
64KB

Download
memory/3764-2-0x000000001B6D0000-0x000000001B720000-memory.dmp

Filesize
320KB

Download
memory/3764-1-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/3764-15-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download
memory/3764-16-0x00007FFF69550000-0x00007FFF6A011000-memory.dmp

Filesize
10.8MB

Download