eternity | afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe
Size

72KB
MD5

b53922cd19d2f906148bd62f3e96caec
SHA1

6038d94acc9e943bce213c89d10686e4724dd99f
SHA256

afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d
SHA512

902abe1feab7239f122b117001fbcff5c40e9c648b2ca72d4e9ed98604089f232f1ff42de142013c23090dbbd00855db51c0f20f5cf244b4ed7add6f1bf2ca7d
SSDEEP

768:bthHn7dSDNC0DdlKhUcDamoaMZs9naW+9SLf:bthHSNCqIToaAs9a3SLf

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2472	2892	WerFault.exe	27

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2456	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2456	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	28
PID 2892 wrote to memory of 2456	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	28
PID 2892 wrote to memory of 2456	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	28
PID 2892 wrote to memory of 2456	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	28
PID 2892 wrote to memory of 2472	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	29
PID 2892 wrote to memory of 2472	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	29
PID 2892 wrote to memory of 2472	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	29
PID 2892 wrote to memory of 2472	2892	afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe	29

C:\Users\Admin\AppData\Local\Temp\afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe
"C:\Users\Admin\AppData\Local\Temp\afcc447467d954cf08e916789e7181a3c8b5fa9f49ec628574f43b17c2eee05d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\FolderTypes.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 932
  2⤵
  - Program crash
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderTypes.txt

Filesize
6KB

MD5
5130e896d3f3e5e02553b6f779ae4a37

SHA1
22de192c9b890095936acd668bb71b37975d5891

SHA256
a79c4cd7cf44dd454409d12779e613de88e40089037c7d99c63aee3e86347805

SHA512
8c6fe1f0974437f427d872a9f43d8133bd456514f47f201b6200a98232645aa844eb96470bb7aa25f2521706efc482e86dd1af7f330d9a316c982e496ef8ea1d

Download Submit
memory/2892-0-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2892-1-0x0000000001200000-0x0000000001216000-memory.dmp

Filesize
88KB

Download
memory/2892-3-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download
memory/2892-8-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/2892-9-0x0000000074340000-0x0000000074A2E000-memory.dmp

Filesize
6.9MB

Download