eternity | 37e40b732239b322fd186e507776d21ef55a18ce71e8eaebc86d7ab30ee36ce6

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe
Size

308KB
MD5

7d1f8be5694ddb81c2b1681b44c996e0
SHA1

76e5ac30ae7962c76795d517dcb34327e65e04ed
SHA256

37e40b732239b322fd186e507776d21ef55a18ce71e8eaebc86d7ab30ee36ce6
SHA512

4512705c1f251e94ec7d040a826a51c4d0c133c0677918a17bf6f8f3086921aa561673d8eb46881a14037a040dccf143defa19b8f6b21aef122fae1cd1c5dd8c
SSDEEP

1536:l2eDy4RZvZZqQKOsssssssswJEYw04IIssssssssssUwcrgZQwMEoIQssos4ssoK:T7HZZqZ//gl

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4924	1200	WerFault.exe	85

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3364	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 3364	1200	NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe	89
PID 1200 wrote to memory of 3364	1200	NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe	89
PID 1200 wrote to memory of 3364	1200	NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7d1f8be5694ddb81c2b1681b44c996e0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\isaacv1.7.8a.0000-20220808-203734-24520-3656.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 988
  2⤵
  - Program crash
  PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1200 -ip 1200
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\isaacv1.7.8a.0000-20220808-203734-24520-3656.exe

Filesize
708B

MD5
8e9fd37eab1ebb993dc0c83f98bf62d9

SHA1
bad9c31e86a27cf22eb41bacd4115b3e237f57b8

SHA256
2a010cfb99e6151a605b379173e02a6377adaa74dd7afe47cc4ba27813f97f25

SHA512
44379ef5cda8bf63aa83d78633b2729f8651024e985882c9bf2312f532a95d364fce2ee7386f0a43b71129c8edc2fa750a3e795bdc69cdf2571ea02d09f22307

Download Submit
C:\Users\Admin\AppData\Local\Temp\isaacv1.7.8a.0000-20220808-203734-24520-3656.txt

Filesize
246KB

MD5
9b407459c2b71bb02a0f58bd5c06a4e3

SHA1
d0e86b447cd253e758471c0f15969bd2af667593

SHA256
75ea4bab903818d31a4bf50167c0bedc46da8c9873dca94adeeabe9b1327ea98

SHA512
aad0c61d1667e131907c0ce4aa6e4c40bc6970c13ba2bc587d5cc84d35156afdc313f58a8cc7cbeccf63209c92ce44eb34a5f4f3437ddac8a05a9200fb6d1107

Download Submit
memory/1200-0-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/1200-1-0x0000000000D00000-0x0000000000D52000-memory.dmp

Filesize
328KB

Download
memory/1200-2-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1200-15-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download