eternity | 2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75

General

Target

2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe
Size

917KB
MD5

3f69058c8f3677d149bacdc33658c116
SHA1

ace9ce964c208b097082d7ea017d5bb2d007512c
SHA256

2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75
SHA512

2930fc9dc530f4480d585139f32312ecd08c726285e8256c61c36f0d4b4d6cd08d44aebf1d2acf91926112fa5217c0da6cc3bb5f73a31e8d299fc4dc5772e970
SSDEEP

12288:NWJ4mHCx2O14t86aJOh7xfXmiT0HcMjrFZAw0tbqVuUkVR2vm:NuHCcO14t86aJOlk+05jrEtbq+

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 3 IoCs

pid	Process
2132	AppLaunch.exe
2856	AppLaunch.exe
4836	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4584	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4392	PING.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 3864	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	86
PID 2684 wrote to memory of 3864	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	86
PID 2684 wrote to memory of 3864	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	86
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 2684 wrote to memory of 3448	2684	2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe	87
PID 3448 wrote to memory of 4220	3448	AppLaunch.exe	90
PID 3448 wrote to memory of 4220	3448	AppLaunch.exe	90
PID 3448 wrote to memory of 4220	3448	AppLaunch.exe	90
PID 4220 wrote to memory of 3892	4220	cmd.exe	92
PID 4220 wrote to memory of 3892	4220	cmd.exe	92
PID 4220 wrote to memory of 3892	4220	cmd.exe	92
PID 4220 wrote to memory of 4392	4220	cmd.exe	93
PID 4220 wrote to memory of 4392	4220	cmd.exe	93
PID 4220 wrote to memory of 4392	4220	cmd.exe	93
PID 4220 wrote to memory of 4584	4220	cmd.exe	97
PID 4220 wrote to memory of 4584	4220	cmd.exe	97
PID 4220 wrote to memory of 4584	4220	cmd.exe	97
PID 4220 wrote to memory of 2132	4220	cmd.exe	99
PID 4220 wrote to memory of 2132	4220	cmd.exe	99
PID 4220 wrote to memory of 2132	4220	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe
"C:\Users\Admin\AppData\Local\Temp\2154dd3f8d7eb8355e0980367348f941a536d7990201af1421f9255d4a44cb75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3892
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4584
  - - C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
      "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"
      4⤵
      Executes dropped EXE
      PID:2132

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe
1⤵
- Executes dropped EXE
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
memory/3448-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3448-1-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3448-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/3448-6-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads