eternity | abcd003b1760e5d14fe6e99491414fa2a0647745c00c4e19a40cf464c947b8fa

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:52

Target

0924f5981c48825e5ed86f85e6c0c523.exe
Size

880KB
MD5

0924f5981c48825e5ed86f85e6c0c523
SHA1

fcac9f2f58790421f37dea24f03b1ef7696cbe87
SHA256

abcd003b1760e5d14fe6e99491414fa2a0647745c00c4e19a40cf464c947b8fa
SHA512

98c2ff2a62a3c0e4182682007468cadc34282ded0b7b0a0ef3a2201b9f91ab02ce2625dbf84e8621b67e3a8676612953ca59f3c872e6c01ba9a7aa79ece4080e
SSDEEP

12288:zTEYAsROAsrt/uxduo1jB0Y96quL1ON0H9s1z0fw9tzvrHSKMQx8mhM5WaE4RfL4:zwT7rC6quL1Otzd9xuG8OyEGQ7

Score

10^/10

eternity stealer

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1244-0-0x0000000000BD0000-0x0000000000CB4000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0924f5981c48825e5ed86f85e6c0c523.exe	0924f5981c48825e5ed86f85e6c0c523.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0924f5981c48825e5ed86f85e6c0c523.exe	0924f5981c48825e5ed86f85e6c0c523.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	0924f5981c48825e5ed86f85e6c0c523.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2156	1244	0924f5981c48825e5ed86f85e6c0c523.exe	21
PID 1244 wrote to memory of 2156	1244	0924f5981c48825e5ed86f85e6c0c523.exe	21
PID 1244 wrote to memory of 2156	1244	0924f5981c48825e5ed86f85e6c0c523.exe	21

C:\Users\Admin\AppData\Local\Temp\0924f5981c48825e5ed86f85e6c0c523.exe
"C:\Users\Admin\AppData\Local\Temp\0924f5981c48825e5ed86f85e6c0c523.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1244 -s 756
  2⤵
  PID:2156

memory/1244-0-0x0000000000BD0000-0x0000000000CB4000-memory.dmp

Filesize
912KB

Download
memory/1244-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1244-5-0x00000000003F0000-0x000000000042E000-memory.dmp

Filesize
248KB

Download
memory/1244-8-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1244-6-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1244-4-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1244-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1244-2-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1244-9-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1244-10-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download