eternity | e2057c960dfd27a0934e680b88f05d3d0a1420b1dd13a0b466cefcc4b1ff1e38

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6367f27e09bef5c1df57a00325c6f000.exe
Size

1.9MB
MD5

6367f27e09bef5c1df57a00325c6f000
SHA1

45ebda2e8be86bae6a704475c85cf3a2d3c23071
SHA256

e2057c960dfd27a0934e680b88f05d3d0a1420b1dd13a0b466cefcc4b1ff1e38
SHA512

a452ebad0af84dd86e840c00d9ba9f09ea7ba24597320d5d6ccc49fd36c21949fc59dd0bff05df23b21e17c82f2b416c4838bfd58119f23bd73ef7ed28ea595c
SSDEEP

49152:75uDZC81N59bD390ZA6DTDCjmLRnEEx94G6TrmpZoVXwG3ca2:tuDZCiN0ZA6zCjmBEA6eZo53q

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://164.92.158.93/eth.exe

http://164.92.158.93/bcs.exe, http://164.92.158.93/Bnb.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 4 IoCs

pid	Process
2804	sprite-min.exe
1768	sprite-min.exe
2892	sprite-min.exe
2524	sprite-min.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	NEAS.6367f27e09bef5c1df57a00325c6f000.exe
2736	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2636	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	sprite-min.exe
Token: SeDebugPrivilege	2892	sprite-min.exe
Token: SeDebugPrivilege	2524	sprite-min.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3068	DllHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2804	2112	NEAS.6367f27e09bef5c1df57a00325c6f000.exe	29
PID 2112 wrote to memory of 2804	2112	NEAS.6367f27e09bef5c1df57a00325c6f000.exe	29
PID 2112 wrote to memory of 2804	2112	NEAS.6367f27e09bef5c1df57a00325c6f000.exe	29
PID 2112 wrote to memory of 2804	2112	NEAS.6367f27e09bef5c1df57a00325c6f000.exe	29
PID 2804 wrote to memory of 2736	2804	sprite-min.exe	30
PID 2804 wrote to memory of 2736	2804	sprite-min.exe	30
PID 2804 wrote to memory of 2736	2804	sprite-min.exe	30
PID 2804 wrote to memory of 2736	2804	sprite-min.exe	30
PID 2736 wrote to memory of 2564	2736	cmd.exe	32
PID 2736 wrote to memory of 2564	2736	cmd.exe	32
PID 2736 wrote to memory of 2564	2736	cmd.exe	32
PID 2736 wrote to memory of 2564	2736	cmd.exe	32
PID 2736 wrote to memory of 2560	2736	cmd.exe	33
PID 2736 wrote to memory of 2560	2736	cmd.exe	33
PID 2736 wrote to memory of 2560	2736	cmd.exe	33
PID 2736 wrote to memory of 2560	2736	cmd.exe	33
PID 2736 wrote to memory of 2636	2736	cmd.exe	34
PID 2736 wrote to memory of 2636	2736	cmd.exe	34
PID 2736 wrote to memory of 2636	2736	cmd.exe	34
PID 2736 wrote to memory of 2636	2736	cmd.exe	34
PID 2736 wrote to memory of 1768	2736	cmd.exe	35
PID 2736 wrote to memory of 1768	2736	cmd.exe	35
PID 2736 wrote to memory of 1768	2736	cmd.exe	35
PID 2736 wrote to memory of 1768	2736	cmd.exe	35
PID 2848 wrote to memory of 2892	2848	taskeng.exe	39
PID 2848 wrote to memory of 2892	2848	taskeng.exe	39
PID 2848 wrote to memory of 2892	2848	taskeng.exe	39
PID 2848 wrote to memory of 2892	2848	taskeng.exe	39
PID 2848 wrote to memory of 2524	2848	taskeng.exe	40
PID 2848 wrote to memory of 2524	2848	taskeng.exe	40
PID 2848 wrote to memory of 2524	2848	taskeng.exe	40
PID 2848 wrote to memory of 2524	2848	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\NEAS.6367f27e09bef5c1df57a00325c6f000.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6367f27e09bef5c1df57a00325c6f000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\sprite-min.exe
  "C:\Users\Admin\AppData\Local\Temp\sprite-min.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "sprite-min" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\sprite-min.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2560
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "sprite-min" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2636
  - - C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:3068

C:\Windows\system32\taskeng.exe
taskeng.exe {65A5A108-C6B1-48CB-BBD2-0F033889EF21} S-1-5-21-3837739534-3148647840-3445085216-1000:RBHOAWCN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe
  C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe
  C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sprite-min.png

Filesize
578KB

MD5
5bd325ea43814d4b0d0040d3dbe85a5e

SHA1
916ca350a08b1ad72b48db8eecec421364df0ae0

SHA256
a320ff9695b2470d05cf73ef41827cb5606f071564fa069d8ea78c91ff9d9f94

SHA512
6805f18f73d2a98bfef46074872de33ed02e9f3eb57f00301bd576e41f4a11e571c3c578cb1c35ddeec8616e9ad42aa60573e831de2f8ebbaf73268c0619b170

Download Submit
\Users\Admin\AppData\Local\ServiceHub\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
\Users\Admin\AppData\Local\Temp\sprite-min.exe

Filesize
1.3MB

MD5
2319728f33f753b272fe8367551424ac

SHA1
1ac0ae6ec2e9f31a5ea493c595a3ab1caa309a1a

SHA256
b1556d396b3dc4c8060aad7ed5cf6843c9726368ed6223e8d1d643a8b92e9441

SHA512
239f8d9f9558af88c82947f7d45436a5638792a93d920713003359ed8e765084b21a4cfccaacabac6dab5449059b5730273feee23e5795c9e9a091180f1d634a

Download Submit
memory/1768-29-0x00000000059E0000-0x0000000005B2A000-memory.dmp

Filesize
1.3MB

Download
memory/1768-26-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download
memory/1768-28-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-25-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-24-0x0000000000A70000-0x0000000000BC2000-memory.dmp

Filesize
1.3MB

Download
memory/1768-30-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-15-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-1-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-0-0x0000000000B00000-0x0000000000CE6000-memory.dmp

Filesize
1.9MB

Download
memory/2112-4-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/2112-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2524-42-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-41-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-40-0x00000000011A0000-0x00000000011E0000-memory.dmp

Filesize
256KB

Download
memory/2524-39-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-38-0x0000000001340000-0x0000000001492000-memory.dmp

Filesize
1.3MB

Download
memory/2804-16-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-14-0x0000000000AF0000-0x0000000000C42000-memory.dmp

Filesize
1.3MB

Download
memory/2804-20-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-33-0x0000000001340000-0x0000000001492000-memory.dmp

Filesize
1.3MB

Download
memory/2892-36-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-35-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-34-0x0000000001280000-0x00000000012C0000-memory.dmp

Filesize
256KB

Download
memory/2892-32-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-5-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3068-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3068-27-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads