eternity | 2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe
Size

917KB
MD5

3f69058c8f3677d149bacdc33658c116
SHA1

ace9ce964c208b097082d7ea017d5bb2d007512c
SHA256

2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75
SHA512

2930fc9dc530f4480d585139f32312ecd08c726285e8256c61c36f0d4b4d6cd08d44aebf1d2acf91926112fa5217c0da6cc3bb5f73a31e8d299fc4dc5772e970
SSDEEP

12288:NWJ4mHCx2O14t86aJOh7xfXmiT0HcMjrFZAw0tbqVuUkVR2vm:NuHCcO14t86aJOlk+05jrEtbq+

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 3 IoCs

pid	Process
3028	AppLaunch.exe
2564	AppLaunch.exe
2676	AppLaunch.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1044	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 1080 wrote to memory of 2128	1080	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	29
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2128 wrote to memory of 2064	2128	AppLaunch.exe	30
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2296	2064	cmd.exe	32
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 2516	2064	cmd.exe	33
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 1044	2064	cmd.exe	34
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2064 wrote to memory of 3028	2064	cmd.exe	35
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2564	2708	taskeng.exe	39
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40
PID 2708 wrote to memory of 2676	2708	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe
"C:\Users\Admin\AppData\Local\Temp\2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2296
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2516
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1044
  - - C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
      4⤵
      Executes dropped EXE
      PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {83A5727C-1746-487E-9136-3D63987729B6} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
  C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
  C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
  2⤵
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
memory/2128-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-10-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-13-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2128-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads