eternity | de6a42e8a3ec2020839117b2dabe1a63ec1504deb3b518c29a642c0bb09bfee8

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:53

Target

191f2987a50aa28ada610e057d27bca1.exe
Size

880KB
MD5

191f2987a50aa28ada610e057d27bca1
SHA1

58165ed967f4b638dcfc6ad84c72d751f48d7a88
SHA256

de6a42e8a3ec2020839117b2dabe1a63ec1504deb3b518c29a642c0bb09bfee8
SHA512

f595069848c59e364d21b9d0c21b21451e38e500509db966bd7ad20417eef7d6f604ce28072cdc697adfc5e2550eaec35987c6b78480b5050b1174da6d60bd2d
SSDEEP

12288:aTEYAsROAsrt/uxduo1jB0Y96qOLr3/SAeyiyeF/LMWBTZCXwSkTb2KqHIIgYur3:awT7rC6qOPN8F/LMaCjk32VHur3

Score

10^/10

eternity stealer

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2388-0-0x0000000000D90000-0x0000000000E74000-memory.dmp	eternity_stealer
behavioral1/memory/2388-12-0x000000001AFE0000-0x000000001B060000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\191f2987a50aa28ada610e057d27bca1.exe	191f2987a50aa28ada610e057d27bca1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\191f2987a50aa28ada610e057d27bca1.exe	191f2987a50aa28ada610e057d27bca1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	191f2987a50aa28ada610e057d27bca1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2452	2388	191f2987a50aa28ada610e057d27bca1.exe	28
PID 2388 wrote to memory of 2452	2388	191f2987a50aa28ada610e057d27bca1.exe	28
PID 2388 wrote to memory of 2452	2388	191f2987a50aa28ada610e057d27bca1.exe	28

C:\Users\Admin\AppData\Local\Temp\191f2987a50aa28ada610e057d27bca1.exe
"C:\Users\Admin\AppData\Local\Temp\191f2987a50aa28ada610e057d27bca1.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2388 -s 760
  2⤵
  PID:2452

memory/2388-0-0x0000000000D90000-0x0000000000E74000-memory.dmp

Filesize
912KB

Download
memory/2388-1-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-2-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-3-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-4-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-5-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2388-6-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/2388-7-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2388-10-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2388-11-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2388-12-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2388-13-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download