eternity | bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Size

1.6MB
MD5

3ff60bb00b635f8d94673252138c1319
SHA1

a41e71b7583d5b49f82b6afaab70f9d89c77e4d5
SHA256

bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169
SHA512

2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26
SSDEEP

49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ

Score

10^/10

eternity collection

Malware Config

Extracted

Family

eternity

http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 2 IoCs

pid	Process
2776	ms_update.exe
2768	ms_updater.exe

Loads dropped DLL 5 IoCs

pid	Process
2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
2768	ms_updater.exe
2768	ms_updater.exe
2768	ms_updater.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2328	2768	ms_updater.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2328	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2776	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	28
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2164 wrote to memory of 2768	2164	bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe	29
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2768 wrote to memory of 2328	2768	ms_updater.exe	31
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2328 wrote to memory of 2452	2328	AppLaunch.exe	33
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 676	2452	cmd.exe	35
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 472	2452	cmd.exe	36
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2452 wrote to memory of 772	2452	cmd.exe	37
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2328 wrote to memory of 2892	2328	AppLaunch.exe	38
PID 2892 wrote to memory of 2552	2892	cmd.exe	40
PID 2892 wrote to memory of 2552	2892	cmd.exe	40
PID 2892 wrote to memory of 2552	2892	cmd.exe	40

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
"C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\ms_update.exe
  "C:\Users\Admin\AppData\Roaming\ms_update.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\AppData\Roaming\ms_updater.exe
  "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:676
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:472
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr Key
        5⤵
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
917KB

MD5
13ae9f0dc22361134cb9de34ee0356cc

SHA1
60854a885f4e184c447c77a6be0a0803e5d7cac7

SHA256
13d8033877dc52ec602247a96eb594600cd07e0e061595d262f99b05ad4310c4

SHA512
fb58c5696531f94f26a99ba8e820bbdf544d60b80aaba378e4bed681a57ea5f74988e8581c76917455bd55329c2fe7fcace2748ee6fdcaebd0da9f59b1e5c163

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
C:\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_update.exe

Filesize
917KB

MD5
13ae9f0dc22361134cb9de34ee0356cc

SHA1
60854a885f4e184c447c77a6be0a0803e5d7cac7

SHA256
13d8033877dc52ec602247a96eb594600cd07e0e061595d262f99b05ad4310c4

SHA512
fb58c5696531f94f26a99ba8e820bbdf544d60b80aaba378e4bed681a57ea5f74988e8581c76917455bd55329c2fe7fcace2748ee6fdcaebd0da9f59b1e5c163

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
\Users\Admin\AppData\Roaming\ms_updater.exe

Filesize
443KB

MD5
8a2c454b6571e226223f0f0ffc03f58b

SHA1
c5c83e9769d35c7ac5efa45d228117453b87621e

SHA256
7aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36

SHA512
c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09

Download Submit
memory/2328-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-16-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-18-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-19-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-21-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-20-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-23-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2328-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download