eternity | 7021d3394cf49d1425d08e97e5b7a92c505bad9c5d7185b6a329b9ac0bcc347e

Analysis

max time kernel
131s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cracked_ajproxy_v12.6.exe
Size

1.6MB
MD5

81b8a06332544fc839b5b4d823637fd2
SHA1

b65a8b859b40881642e3be0e12450a48372df8c2
SHA256

7021d3394cf49d1425d08e97e5b7a92c505bad9c5d7185b6a329b9ac0bcc347e
SHA512

298eafba0045cf880899b204f9d24acd0615bdec71722ba59d14d9636f035078b1bbd9af1b6422c2074057bdac65852fb97d31510e10edb012fae4b00de9f59d
SSDEEP

24576:AAyH9t5/YZnpa1gPLrUtTi8VOhF2i+3gN6vyptsaZq5ilgmoW3lH1oWA+8LAoy7:MHKZnggMgnhFZ6vynoC3NuX+8L2

Score

10^/10

eternity persistence stealer

Malware Config

Signatures

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000023268-5.dat	eternity_stealer
behavioral1/memory/2388-7-0x0000000000560000-0x0000000000646000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJPROX~1.EXE	AJPROX~1.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJPROX~1.EXE	AJPROX~1.EXE

Executes dropped EXE 3 IoCs

pid	Process
2388	AJPROX~1.EXE
2148	dcd.exe
1420	AJPREM~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cracked_ajproxy_v12.6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	AJPROX~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2388	4844	cracked_ajproxy_v12.6.exe	85
PID 4844 wrote to memory of 2388	4844	cracked_ajproxy_v12.6.exe	85
PID 2388 wrote to memory of 2148	2388	AJPROX~1.EXE	89
PID 2388 wrote to memory of 2148	2388	AJPROX~1.EXE	89
PID 2388 wrote to memory of 2148	2388	AJPROX~1.EXE	89
PID 4844 wrote to memory of 1420	4844	cracked_ajproxy_v12.6.exe	94
PID 4844 wrote to memory of 1420	4844	cracked_ajproxy_v12.6.exe	94
PID 4472 wrote to memory of 4748	4472	msedge.exe	111
PID 4472 wrote to memory of 4748	4472	msedge.exe	111
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3840	4472	msedge.exe	112
PID 4472 wrote to memory of 3620	4472	msedge.exe	113
PID 4472 wrote to memory of 3620	4472	msedge.exe	113
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114
PID 4472 wrote to memory of 3616	4472	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\cracked_ajproxy_v12.6.exe
"C:\Users\Admin\AppData\Local\Temp\cracked_ajproxy_v12.6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPROX~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPROX~1.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPREM~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPREM~1.EXE
  2⤵
  - Executes dropped EXE
  PID:1420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault71fac843h4cbch47d4ha2f2h7319c7ebfae3
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff85d5646f8,0x7ff85d564708,0x7ff85d564718
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,1258500911911533494,6514911135839086694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,1258500911911533494,6514911135839086694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,1258500911911533494,6514911135839086694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5fc4f295f4c74371d3454651955f688

SHA1
1c181cb58750bd5eb0f80fcffddc57bc3b248f6d

SHA256
2e45a14c39381ab4ee96cd977408d47380d203c38a9f9299cd946ef25f9a92c0

SHA512
530d294d74180496ef1dce6928d810697b1a1a29c0a85aade8dd24c9d412940dd3103e9814bd155bbfa3cbb5ba056749ed01ddef3ebd200d3c3ed602203fc4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
aee14593a1819406498ff94ad0bab786

SHA1
a23227a876bffd1d593c50d0f505ac347f1192b6

SHA256
6889d2021c60d2bed2bc81b6ca742bf3f2ffc665a0f258d66a6707418a12118a

SHA512
fd1d377ed512e892e5405f240eb8e915b35c385a0ad6c093687f66b1347a8f19f66f5747926d1f58687e371e65a4bd89f0a914593ff614d9d5c9eef91f110367

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPREM~1.EXE

Filesize
2.5MB

MD5
54051aebe73c841abc04ad2531236ff2

SHA1
8a022f380d262054c367777cdfbe13e38887fafd

SHA256
12c2f529706d5a717430b01c24ffa4a9a83e8f410ef66a967c97afa80e5e05cd

SHA512
11952332f8c163b961f095e801a52ee25cb8241492c5e77328b61dc075190517a8c3ce3c75b59e1684fb113927cf41e2d435262fc36ae419165be33ac1454332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AJPROX~1.EXE

Filesize
885KB

MD5
a350c3a0939b93738bbf57d6d4aa1861

SHA1
ec692bdd82ba3b16e26036343d43c3cfe854cf94

SHA256
a0c1f65b28bf8bf8f8dd9b3ee9bfc584a43f35993d1d08d73c305dd0852c89ff

SHA512
f7f672015cc7daccfaffedf299012d2cab2bf23c5bfbe855dfc091fa5e33a7963e45b5aab295982dc2e8a9e239ac37a85dc2753777a9d19ed0720ec026c399ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
memory/2388-10-0x00007FF85E510000-0x00007FF85EFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-14-0x000000001B170000-0x000000001B180000-memory.dmp

Filesize
64KB

Download
memory/2388-15-0x000000001B170000-0x000000001B180000-memory.dmp

Filesize
64KB

Download
memory/2388-12-0x000000001B180000-0x000000001B1BE000-memory.dmp

Filesize
248KB

Download
memory/2388-22-0x00007FF85E510000-0x00007FF85EFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-13-0x000000001B170000-0x000000001B180000-memory.dmp

Filesize
64KB

Download
memory/2388-11-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2388-9-0x000000001B100000-0x000000001B150000-memory.dmp

Filesize
320KB

Download
memory/2388-8-0x00007FF85E510000-0x00007FF85EFD1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-7-0x0000000000560000-0x0000000000646000-memory.dmp

Filesize
920KB

Download