eternity | d5f09601ed17b079f0b5adc3530af9018e58b9bdca84835b60206a90eb9713d5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-12-2023 23:01

Target

1e7a970a056984addf9c93a3819541ac.exe
Size

880KB
MD5

1e7a970a056984addf9c93a3819541ac
SHA1

a8dd596af56049cf2b9c40b8fc063509f2adac8d
SHA256

d5f09601ed17b079f0b5adc3530af9018e58b9bdca84835b60206a90eb9713d5
SHA512

8f6efe048c28f87f255aa041306af82936b9fc2d75156477a1abde5de33dc837999bb2a3204ccca5603ffd4f19cf9c967258350f3e5e769d3129d3f00719718b
SSDEEP

12288:6TEYAsROAsrt/uxduo1jB0Y96qR4/WGdN1TEC69lew8o1y0R59Ya/5yeCANEdFaE:6wT7rC6qRMO9l18AxG4RfEveU

Score

10^/10

eternity stealer

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2496-0-0x0000000000E80000-0x0000000000F64000-memory.dmp	eternity_stealer
behavioral1/memory/2496-6-0x000000001B390000-0x000000001B410000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e7a970a056984addf9c93a3819541ac.exe	1e7a970a056984addf9c93a3819541ac.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e7a970a056984addf9c93a3819541ac.exe	1e7a970a056984addf9c93a3819541ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	1e7a970a056984addf9c93a3819541ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2516	2496	1e7a970a056984addf9c93a3819541ac.exe	28
PID 2496 wrote to memory of 2516	2496	1e7a970a056984addf9c93a3819541ac.exe	28
PID 2496 wrote to memory of 2516	2496	1e7a970a056984addf9c93a3819541ac.exe	28

C:\Users\Admin\AppData\Local\Temp\1e7a970a056984addf9c93a3819541ac.exe
"C:\Users\Admin\AppData\Local\Temp\1e7a970a056984addf9c93a3819541ac.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2496 -s 756
  2⤵
  PID:2516

memory/2496-0-0x0000000000E80000-0x0000000000F64000-memory.dmp

Filesize
912KB

Download
memory/2496-1-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/2496-3-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/2496-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-6-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/2496-7-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/2496-10-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-11-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download