eternity | cbe6388327c64915487fd0389a76024c0515566ebef4e17f4f12b311b9db3e0b

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 12:30

Target

946f5e0ac27037688ce477094c7ff100N.exe
Size

889KB
MD5

946f5e0ac27037688ce477094c7ff100
SHA1

b2d5b180090e49e13b2739186697c22312bf1f92
SHA256

cbe6388327c64915487fd0389a76024c0515566ebef4e17f4f12b311b9db3e0b
SHA512

8b4903bab03530485ca98fe6dde893e33c6333c895d4bada50b790c32bcdfbef75d3bd6fa19ec94ed794c65a1bf7bf1f3ec1efec6f0d884bb36c993251872127
SSDEEP

12288:TTEYAsROAsrt/uxduo1jB0Y96qPm+ab4xSFKxECo9MHg/Qzj6BYACGHIix9P59:TwT7rC6qyW+9MHmQzexxj9

Score

10^/10

eternity stealer

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2152-1-0x0000000000AA0000-0x0000000000B86000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\946f5e0ac27037688ce477094c7ff100N.exe	946f5e0ac27037688ce477094c7ff100N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\946f5e0ac27037688ce477094c7ff100N.exe	946f5e0ac27037688ce477094c7ff100N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	946f5e0ac27037688ce477094c7ff100N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2736	2152	946f5e0ac27037688ce477094c7ff100N.exe	30
PID 2152 wrote to memory of 2736	2152	946f5e0ac27037688ce477094c7ff100N.exe	30
PID 2152 wrote to memory of 2736	2152	946f5e0ac27037688ce477094c7ff100N.exe	30

C:\Users\Admin\AppData\Local\Temp\946f5e0ac27037688ce477094c7ff100N.exe
"C:\Users\Admin\AppData\Local\Temp\946f5e0ac27037688ce477094c7ff100N.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2152 -s 764
  2⤵
  PID:2736

memory/2152-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x0000000000AA0000-0x0000000000B86000-memory.dmp

Filesize
920KB

Download
memory/2152-2-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2152-3-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-4-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-5-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-7-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-8-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download