eternity | bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169

Analysis

max time kernel
261s
max time network
308s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
26/11/2023, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Size

1.6MB
MD5

3ff60bb00b635f8d94673252138c1319
SHA1

a41e71b7583d5b49f82b6afaab70f9d89c77e4d5
SHA256

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169
SHA512

2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26
SSDEEP

49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ

Score

10^/10

eternity collection

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
5000	ms_update.exe
4996	ms_updater.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 2840	4996	ms_updater.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2420	5000	WerFault.exe	71

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2840	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	AppLaunch.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 5000	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	71
PID 696 wrote to memory of 5000	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	71
PID 696 wrote to memory of 5000	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	71
PID 696 wrote to memory of 4996	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	72
PID 696 wrote to memory of 4996	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	72
PID 696 wrote to memory of 4996	696	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	72
PID 4996 wrote to memory of 2508	4996	ms_updater.exe	76
PID 4996 wrote to memory of 2508	4996	ms_updater.exe	76
PID 4996 wrote to memory of 2508	4996	ms_updater.exe	76
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 4996 wrote to memory of 2840	4996	ms_updater.exe	77
PID 2840 wrote to memory of 4984	2840	AppLaunch.exe	79
PID 2840 wrote to memory of 4984	2840	AppLaunch.exe	79
PID 2840 wrote to memory of 4984	2840	AppLaunch.exe	79
PID 4984 wrote to memory of 4448	4984	cmd.exe	81
PID 4984 wrote to memory of 4448	4984	cmd.exe	81
PID 4984 wrote to memory of 4448	4984	cmd.exe	81
PID 4984 wrote to memory of 4200	4984	cmd.exe	82
PID 4984 wrote to memory of 4200	4984	cmd.exe	82
PID 4984 wrote to memory of 4200	4984	cmd.exe	82
PID 4984 wrote to memory of 2864	4984	cmd.exe	83
PID 4984 wrote to memory of 2864	4984	cmd.exe	83
PID 4984 wrote to memory of 2864	4984	cmd.exe	83
PID 2840 wrote to memory of 1316	2840	AppLaunch.exe	84
PID 2840 wrote to memory of 1316	2840	AppLaunch.exe	84
PID 2840 wrote to memory of 1316	2840	AppLaunch.exe	84
PID 1316 wrote to memory of 2996	1316	cmd.exe	86
PID 1316 wrote to memory of 2996	1316	cmd.exe	86
PID 1316 wrote to memory of 2996	1316	cmd.exe	86
PID 1316 wrote to memory of 3688	1316	cmd.exe	87
PID 1316 wrote to memory of 3688	1316	cmd.exe	87
PID 1316 wrote to memory of 3688	1316	cmd.exe	87
PID 1316 wrote to memory of 4164	1316	cmd.exe	88
PID 1316 wrote to memory of 4164	1316	cmd.exe	88
PID 1316 wrote to memory of 4164	1316	cmd.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
"C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Roaming\ms_update.exe
  "C:\Users\Admin\AppData\Roaming\ms_update.exe"
  2⤵
  - Executes dropped EXE
  PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 148
    3⤵
    - Program crash
    PID:2420
- C:\Users\Admin\AppData\Roaming\ms_updater.exe
  "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:4200
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        5⤵
        
        PID:3688
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        5⤵
        
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
917KB

MD5
752e7cc2c62a2e72bf3fb831587a3ec8

SHA1
99cf461ed01e827cc563046e3521e396b74b1499

SHA256
460454df164ddab147f172549c39ff33a3f54ec09f49f809119eb69a67698731

SHA512
c688c424e81be011db52312148be14ce4836657916dfed270b445b74682488fdb63b583e1c1124a14c2ddb049486182dff599faa8c41b2d1eced1e2d2e25e318

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
memory/2840-9-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2840-12-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-13-0x00000000099E0000-0x0000000009EDE000-memory.dmp

Filesize
5.0MB

Download
memory/2840-14-0x0000000009550000-0x00000000095B6000-memory.dmp

Filesize
408KB

Download
memory/2840-15-0x0000000009940000-0x0000000009950000-memory.dmp

Filesize
64KB

Download
memory/2840-16-0x000000000A2F0000-0x000000000A382000-memory.dmp

Filesize
584KB

Download
memory/2840-20-0x000000000AAF0000-0x000000000AB40000-memory.dmp

Filesize
320KB

Download
memory/2840-23-0x000000000ADE0000-0x000000000AE7C000-memory.dmp

Filesize
624KB

Download
memory/2840-31-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download