eternity | 083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe
Size

66KB
MD5

684ba0386ac3c481ab4e2a31d6c5a832
SHA1

a763049196fc1bf64d2aa024951000bc294fadd1
SHA256

083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409
SHA512

1d050399d3596d74fd1c8e6f3de4414fc64d03ddd318f29a460544d2aec521ada0f5cef1e99568072833d6c7c3314536e5ea02c0a065a6bc2cb198bc84538ee3
SSDEEP

384:9u/XOJD9vad5JEPIeNznDBA8CrF6wYA5vG38dDnaxg679Poww4glQhgLU07kRI0m:C+ZadDmIevBK6X6es9naW+9SLf

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2816	WerFault.exe	27

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2084	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2084	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	28
PID 2816 wrote to memory of 2084	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	28
PID 2816 wrote to memory of 2084	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	28
PID 2816 wrote to memory of 2084	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	28
PID 2816 wrote to memory of 2828	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	29
PID 2816 wrote to memory of 2828	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	29
PID 2816 wrote to memory of 2828	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	29
PID 2816 wrote to memory of 2828	2816	083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe	29

C:\Users\Admin\AppData\Local\Temp\083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe
"C:\Users\Admin\AppData\Local\Temp\083d14f17c17f8f5e045eb446981733893929ed922d46bfd66c008469dcd8409.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Kaspersky_VRT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 916
  2⤵
  - Program crash
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Kaspersky_VRT.txt

Filesize
862B

MD5
7456c178aa8743a3196f530ebc8711db

SHA1
95ee0059dfdff544757938f13d957dcefb501bd4

SHA256
73496e9df02154c4c109ff778c932fff79c9dc4a910a2c956810d5db97259a51

SHA512
88b8a360abab8c69f9bc3c4d7cb7de12f025fc0bdbbe4e094c376ea63ef0b0e669190072492a837a4290d4f72dc346e5813b224d4523b30757a6849e5e85145c

Download Submit
memory/2816-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

Filesize
4KB

Download
memory/2816-1-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/2816-3-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/2816-8-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download