eternity | 141df10bf9bbf630ab90efff70d1deaa5c3da3fda988a5ec85121128ef2e71e1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 19:55

Target

3993ed7cb4f9b54a54a4fe7f623e420c.exe
Size

891KB
MD5

3993ed7cb4f9b54a54a4fe7f623e420c
SHA1

71ae511d8c4cbcb4b44b6821b02c04085381c37d
SHA256

141df10bf9bbf630ab90efff70d1deaa5c3da3fda988a5ec85121128ef2e71e1
SHA512

0a42580b5a26a6cc9d7d3bf6bfa05b666a59de1a17289634ae019cc338b3d439615371671b4fb2523374f288e7801caf2c076485708e41bb9507720eed884a7f
SSDEEP

12288:UTEYAsROAsrt/uxduo1jB0Y96qwp5hnHmG5KAqULf49fWyLV3kxpsV7UuTPHKz2m:UwT7rC6qwRHJ7LftbaOzklfc9

Score

10^/10

eternity stealer

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1896-0-0x0000000000100000-0x00000000001E6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3993ed7cb4f9b54a54a4fe7f623e420c.exe	3993ed7cb4f9b54a54a4fe7f623e420c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3993ed7cb4f9b54a54a4fe7f623e420c.exe	3993ed7cb4f9b54a54a4fe7f623e420c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	3993ed7cb4f9b54a54a4fe7f623e420c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1948	1896	3993ed7cb4f9b54a54a4fe7f623e420c.exe	21
PID 1896 wrote to memory of 1948	1896	3993ed7cb4f9b54a54a4fe7f623e420c.exe	21
PID 1896 wrote to memory of 1948	1896	3993ed7cb4f9b54a54a4fe7f623e420c.exe	21

C:\Users\Admin\AppData\Local\Temp\3993ed7cb4f9b54a54a4fe7f623e420c.exe
"C:\Users\Admin\AppData\Local\Temp\3993ed7cb4f9b54a54a4fe7f623e420c.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1896 -s 756
  2⤵
  PID:1948

memory/1896-0-0x0000000000100000-0x00000000001E6000-memory.dmp

Filesize
920KB

Download
memory/1896-1-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-5-0x0000000002040000-0x000000000207E000-memory.dmp

Filesize
248KB

Download
memory/1896-7-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1896-6-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1896-4-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1896-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1896-10-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-11-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download
memory/1896-12-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Filesize
512KB

Download