eternity | cd72f8f3af6f9d098b3da55db5f7869ab75ec679e0c302f790faffc0fa6c47b5

General

Target

869395ac2a88f6de036daf942d0b86d9.exe
Size

913KB
MD5

869395ac2a88f6de036daf942d0b86d9
SHA1

42fbe6f668153bcb850c13677efe924e835c229f
SHA256

cd72f8f3af6f9d098b3da55db5f7869ab75ec679e0c302f790faffc0fa6c47b5
SHA512

e2e8492442edcfec16553def0cae3361f744bc8f095b4863dbc745ac3e72c75e1be83bbb0bb69da4f74fcaaba2b35123222706508c0d1f0e05e22cbcb75390d9
SSDEEP

24576:rMYtHtnX4mHxjdibimBr4aOCZv4NPjgcwmIlSklG9:dtHtnX4mHObiMr4HCZvRzlJl

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000d0000000122e6-5.dat	disable_win_def
behavioral1/memory/2440-9-0x0000000000D10000-0x0000000000DFA000-memory.dmp	disable_win_def

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000d0000000122e6-5.dat	eternity_stealer
behavioral1/memory/2440-9-0x0000000000D10000-0x0000000000DFA000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tmp3DCB.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tmp3DCB.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tmp3DCB.tmp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tmp3DCB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	tmp3DCB.tmp.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	tmp3DCB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	869395ac2a88f6de036daf942d0b86d9.exe
Token: SeDebugPrivilege	2440	tmp3DCB.tmp.exe
Token: SeDebugPrivilege	2676	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2440	2512	869395ac2a88f6de036daf942d0b86d9.exe	28
PID 2512 wrote to memory of 2440	2512	869395ac2a88f6de036daf942d0b86d9.exe	28
PID 2512 wrote to memory of 2440	2512	869395ac2a88f6de036daf942d0b86d9.exe	28
PID 2440 wrote to memory of 2676	2440	tmp3DCB.tmp.exe	29
PID 2440 wrote to memory of 2676	2440	tmp3DCB.tmp.exe	29
PID 2440 wrote to memory of 2676	2440	tmp3DCB.tmp.exe	29
PID 2440 wrote to memory of 1656	2440	tmp3DCB.tmp.exe	31
PID 2440 wrote to memory of 1656	2440	tmp3DCB.tmp.exe	31
PID 2440 wrote to memory of 1656	2440	tmp3DCB.tmp.exe	31

C:\Users\Admin\AppData\Local\Temp\869395ac2a88f6de036daf942d0b86d9.exe
"C:\Users\Admin\AppData\Local\Temp\869395ac2a88f6de036daf942d0b86d9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2440 -s 788
    3⤵
    PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3DCB.tmp.exe

Filesize
904KB

MD5
5bc9eac8653703bf899d63f49466773e

SHA1
49fc8ed3bf850f9f4f59dba04dd7a2ae453334b1

SHA256
02c72fe8fc25c0069b619cbfe9bd223af3b791db1ceff2b37dbb0b5697c2306d

SHA512
0709490737c0b3fc46f107a74e2a9f62705006c596280af31b23fe6ec20a0e411af294af569f0204ea20111152c47de2f13fab4f0f724f36c90ebd78ba05d352

Download Submit
memory/2440-16-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2440-34-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2440-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2440-15-0x00000000003D0000-0x000000000040E000-memory.dmp

Filesize
248KB

Download
memory/2440-9-0x0000000000D10000-0x0000000000DFA000-memory.dmp

Filesize
936KB

Download
memory/2440-10-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2440-12-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-31-0x000007FEF37C0000-0x000007FEF41AC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-14-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2440-32-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2440-33-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2440-35-0x0000000000A70000-0x0000000000AF0000-memory.dmp

Filesize
512KB

Download
memory/2512-7-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-28-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-3-0x0000000000BA0000-0x0000000000C20000-memory.dmp

Filesize
512KB

Download
memory/2676-23-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2676-27-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2676-29-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2676-30-0x000007FEEE170000-0x000007FEEEB0D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-26-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2676-25-0x000007FEEE170000-0x000007FEEEB0D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-21-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2676-24-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2676-22-0x000007FEEE170000-0x000007FEEEB0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads