eternity | fe2d0e873f238e8c212e1a4bec1d4c666a4b5153016b9494b403652571e7dbf8

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 18:44

Target

4eb5c97d66e762fcc9358d4fa8c7b70a.exe
Size

1.1MB
MD5

4eb5c97d66e762fcc9358d4fa8c7b70a
SHA1

fa9d97be9304f1c19141d6e16ecf9bc42afe4dcb
SHA256

fe2d0e873f238e8c212e1a4bec1d4c666a4b5153016b9494b403652571e7dbf8
SHA512

b4488db4fd12e54a1b3caf5f32926b0f54e98ca8bb5790deb99e9012f094d0c07af77a57d4c9404aa37b395548ee578aa79339ae6835d47c04d7d5325a645b63
SSDEEP

12288:PTEYAsROAsrt/uxduo1jB0Y96qQUot5G+dovpSdfoMrb/9o56GkOdnbTtFh+kQpi:PwT7rC6qQxKvgoob9rGkMPQJ+

Score

10^/10

eternity stealer

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2296-0-0x0000000001080000-0x000000000117E000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb5c97d66e762fcc9358d4fa8c7b70a.exe	4eb5c97d66e762fcc9358d4fa8c7b70a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb5c97d66e762fcc9358d4fa8c7b70a.exe	4eb5c97d66e762fcc9358d4fa8c7b70a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	4eb5c97d66e762fcc9358d4fa8c7b70a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2692	2296	4eb5c97d66e762fcc9358d4fa8c7b70a.exe	19
PID 2296 wrote to memory of 2692	2296	4eb5c97d66e762fcc9358d4fa8c7b70a.exe	19
PID 2296 wrote to memory of 2692	2296	4eb5c97d66e762fcc9358d4fa8c7b70a.exe	19

C:\Users\Admin\AppData\Local\Temp\4eb5c97d66e762fcc9358d4fa8c7b70a.exe
"C:\Users\Admin\AppData\Local\Temp\4eb5c97d66e762fcc9358d4fa8c7b70a.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2296 -s 756
  2⤵
  PID:2692

memory/2296-0-0x0000000001080000-0x000000000117E000-memory.dmp

Filesize
1016KB

Download
memory/2296-1-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-4-0x0000000000E20000-0x0000000000E5E000-memory.dmp

Filesize
248KB

Download
memory/2296-6-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2296-8-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2296-7-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2296-5-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2296-3-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-11-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2296-12-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download
memory/2296-13-0x000000001ADB0000-0x000000001AE30000-memory.dmp

Filesize
512KB

Download