eternity | a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

Analysis

max time kernel
125s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26-11-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0003000000000737-1039.exe
Size

14KB
MD5

a922561dc3eb681a439a93b07257f606
SHA1

ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241
SHA256

a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b
SHA512

25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9
SSDEEP

384:frnPpyQr13n3KBIPVIJv9zo5+mbVjyN6Tw/j0asEkx:1qv9M/bM7Yaq

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Deletes itself 1 IoCs

pid	Process
1216	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	0x0003000000000737-1039.exe
2968	0x0003000000000737-1039.exe
2656	0x0003000000000737-1039.exe

Loads dropped DLL 6 IoCs

pid	Process
1216	cmd.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe
2732	WerFault.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	3040	WerFault.exe	33

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2852	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	0x0003000000000737-1039.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1216	1076	0x0003000000000737-1039.exe	28
PID 1076 wrote to memory of 1216	1076	0x0003000000000737-1039.exe	28
PID 1076 wrote to memory of 1216	1076	0x0003000000000737-1039.exe	28
PID 1076 wrote to memory of 1216	1076	0x0003000000000737-1039.exe	28
PID 1216 wrote to memory of 2432	1216	cmd.exe	30
PID 1216 wrote to memory of 2432	1216	cmd.exe	30
PID 1216 wrote to memory of 2432	1216	cmd.exe	30
PID 1216 wrote to memory of 2432	1216	cmd.exe	30
PID 1216 wrote to memory of 2336	1216	cmd.exe	31
PID 1216 wrote to memory of 2336	1216	cmd.exe	31
PID 1216 wrote to memory of 2336	1216	cmd.exe	31
PID 1216 wrote to memory of 2336	1216	cmd.exe	31
PID 1216 wrote to memory of 2852	1216	cmd.exe	32
PID 1216 wrote to memory of 2852	1216	cmd.exe	32
PID 1216 wrote to memory of 2852	1216	cmd.exe	32
PID 1216 wrote to memory of 2852	1216	cmd.exe	32
PID 1216 wrote to memory of 3040	1216	cmd.exe	33
PID 1216 wrote to memory of 3040	1216	cmd.exe	33
PID 1216 wrote to memory of 3040	1216	cmd.exe	33
PID 1216 wrote to memory of 3040	1216	cmd.exe	33
PID 3040 wrote to memory of 2732	3040	0x0003000000000737-1039.exe	35
PID 3040 wrote to memory of 2732	3040	0x0003000000000737-1039.exe	35
PID 3040 wrote to memory of 2732	3040	0x0003000000000737-1039.exe	35
PID 3040 wrote to memory of 2732	3040	0x0003000000000737-1039.exe	35
PID 1636 wrote to memory of 2968	1636	taskeng.exe	39
PID 1636 wrote to memory of 2968	1636	taskeng.exe	39
PID 1636 wrote to memory of 2968	1636	taskeng.exe	39
PID 1636 wrote to memory of 2968	1636	taskeng.exe	39
PID 1636 wrote to memory of 2656	1636	taskeng.exe	40
PID 1636 wrote to memory of 2656	1636	taskeng.exe	40
PID 1636 wrote to memory of 2656	1636	taskeng.exe	40
PID 1636 wrote to memory of 2656	1636	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe
"C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "0x0003000000000737-1039" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "0x0003000000000737-1039" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1192
      4⤵
      Loads dropped DLL
      Program crash
      PID:2732

C:\Windows\system32\taskeng.exe
taskeng.exe {DD12BFC6-6D20-47F2-B301-BBA12CC6C83E} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
  C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
  C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
  2⤵
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
memory/1076-0-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1076-4-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/1076-1-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-21-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-22-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-19-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-8-0x00000000013E0000-0x00000000013EA000-memory.dmp

Filesize
40KB

Download
memory/3040-10-0x0000000004E70000-0x0000000004EB0000-memory.dmp

Filesize
256KB

Download
memory/3040-9-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-16-0x00000000732C0000-0x00000000739AE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-17-0x0000000004E70000-0x0000000004EB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads