eternity | bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Size

1.6MB
MD5

3ff60bb00b635f8d94673252138c1319
SHA1

a41e71b7583d5b49f82b6afaab70f9d89c77e4d5
SHA256

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169
SHA512

2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26
SSDEEP

49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ

Score

10^/10

eternity collection

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
3060	ms_update.exe
2028	ms_updater.exe

Loads dropped DLL 5 IoCs

pid	Process
2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
2028	ms_updater.exe
2028	ms_updater.exe
2028	ms_updater.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 2912	2028	ms_updater.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2912	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 3060	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2016 wrote to memory of 2028	2016	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	30
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2664	2028	ms_updater.exe	31
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2028 wrote to memory of 2912	2028	ms_updater.exe	32
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2912 wrote to memory of 2116	2912	AppLaunch.exe	34
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1740	2116	cmd.exe	36
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 1976	2116	cmd.exe	37
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2116 wrote to memory of 584	2116	cmd.exe	38
PID 2912 wrote to memory of 1636	2912	AppLaunch.exe	39
PID 2912 wrote to memory of 1636	2912	AppLaunch.exe	39
PID 2912 wrote to memory of 1636	2912	AppLaunch.exe	39

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
"C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Roaming\ms_update.exe
  "C:\Users\Admin\AppData\Roaming\ms_update.exe"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Users\Admin\AppData\Roaming\ms_updater.exe
  "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        5⤵
        
        PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
917KB

MD5
9481b1dfcf5c3f900285700b63d538a7

SHA1
30b6d34b391f92f9004608f08ecf8f52bc4d88ad

SHA256
b112c6ded1a8af1ece407b8f141ada083ca96341b0164aa6a42f45b6cc002c60

SHA512
b0353832dc773a075be5709976bee9b563010495a6c810f03863e6eff381bf709613384bda106c9ebc210aa9ca60feae9392edbdcc63669993371a925c1eefea

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
917KB

MD5
9481b1dfcf5c3f900285700b63d538a7

SHA1
30b6d34b391f92f9004608f08ecf8f52bc4d88ad

SHA256
b112c6ded1a8af1ece407b8f141ada083ca96341b0164aa6a42f45b6cc002c60

SHA512
b0353832dc773a075be5709976bee9b563010495a6c810f03863e6eff381bf709613384bda106c9ebc210aa9ca60feae9392edbdcc63669993371a925c1eefea

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
memory/2912-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-18-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-20-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2912-27-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download