eternity | 20e7a909cd4963dfe27d914218a6eb64bbc0eede5cd3f34ec8f45e79f7d199c6

Resubmissions

11-12-2023 22:31

231211-2fln2sadgr 10

11-12-2023 22:31

231211-2ffsssbgd8 10

10-01-2023 13:23

230110-qmt38agb55 10

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
Size

272.5MB
MD5

288f11cbc24d805ab059c0fd18b0beb3
SHA1

88a529879a7726a6a4ea96c02f5e49ab884e3f1f
SHA256

37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe
SHA512

422892f79e37b9786ba0883b9e060b5cdefaf6e137dda2efd9ad10de0e211f53e8a076810bd89b9ee40d5f6c4cb85d20ef8711492e43f2adf67aec58607d06f1
SSDEEP

6144:qkE/XiFlYwesDZ9qBP9xjWUxA1eW+qKbLxn604WwMDu9XzQMat/dfJE3aaTRSaGf:z7Fbmd2Msc/WEPjTLTiXpFPZe

Score

10^/10

eternity collection

Malware Config

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1888	2232	WerFault.exe	27

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2284	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 2284	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	29
PID 2232 wrote to memory of 1888	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	30
PID 2232 wrote to memory of 1888	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	30
PID 2232 wrote to memory of 1888	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	30
PID 2232 wrote to memory of 1888	2232	37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe	30
PID 2284 wrote to memory of 2968	2284	vbc.exe	32
PID 2284 wrote to memory of 2968	2284	vbc.exe	32
PID 2284 wrote to memory of 2968	2284	vbc.exe	32
PID 2284 wrote to memory of 2968	2284	vbc.exe	32
PID 2968 wrote to memory of 2552	2968	cmd.exe	34
PID 2968 wrote to memory of 2552	2968	cmd.exe	34
PID 2968 wrote to memory of 2552	2968	cmd.exe	34
PID 2968 wrote to memory of 2552	2968	cmd.exe	34
PID 2968 wrote to memory of 2496	2968	cmd.exe	35
PID 2968 wrote to memory of 2496	2968	cmd.exe	35
PID 2968 wrote to memory of 2496	2968	cmd.exe	35
PID 2968 wrote to memory of 2496	2968	cmd.exe	35
PID 2968 wrote to memory of 2508	2968	cmd.exe	36
PID 2968 wrote to memory of 2508	2968	cmd.exe	36
PID 2968 wrote to memory of 2508	2968	cmd.exe	36
PID 2968 wrote to memory of 2508	2968	cmd.exe	36
PID 2284 wrote to memory of 2576	2284	vbc.exe	37
PID 2284 wrote to memory of 2576	2284	vbc.exe	37
PID 2284 wrote to memory of 2576	2284	vbc.exe	37
PID 2284 wrote to memory of 2576	2284	vbc.exe	37
PID 2576 wrote to memory of 2928	2576	cmd.exe	39
PID 2576 wrote to memory of 2928	2576	cmd.exe	39
PID 2576 wrote to memory of 2928	2576	cmd.exe	39
PID 2576 wrote to memory of 2928	2576	cmd.exe	39
PID 2576 wrote to memory of 2556	2576	cmd.exe	40
PID 2576 wrote to memory of 2556	2576	cmd.exe	40
PID 2576 wrote to memory of 2556	2576	cmd.exe	40
PID 2576 wrote to memory of 2556	2576	cmd.exe	40
PID 2576 wrote to memory of 1300	2576	cmd.exe	41
PID 2576 wrote to memory of 1300	2576	cmd.exe	41
PID 2576 wrote to memory of 1300	2576	cmd.exe	41
PID 2576 wrote to memory of 1300	2576	cmd.exe	41

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe
"C:\Users\Admin\AppData\Local\Temp\37c93873f34ffd989ab354eb535bb56b3fb997835c1ec6be7c2219217d8cefbe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile name="65001" key=clear
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\findstr.exe
      findstr Key
      4⤵
      PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 124
  2⤵
  - Program crash
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-0-0x0000000000A20000-0x0000000000A9B000-memory.dmp

Filesize
492KB

Download
memory/2284-1-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2284-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2284-9-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2284-10-0x0000000000080000-0x00000000000DA000-memory.dmp

Filesize
360KB

Download
memory/2284-11-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-12-0x0000000005630000-0x0000000005670000-memory.dmp

Filesize
256KB

Download
memory/2284-13-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download