eternity | 9f87d14a9b58a6b91044aa1c28225f6d97b12a73a027f4a32f3d6d4e2be8fa48

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe
Size

492KB
MD5

0ebe8de305581c9eca37e53a46d033c8
SHA1

3068323ddb9d09a0a10e1f7d834e1358a9cd7f89
SHA256

dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067
SHA512

bd7bc348869325f8b9a19810e6e49bfaba4a47ca258744f1b17130584a82e88b3b9a42a4a7fb735c33544931b9c08effee5e6c387a5cf812af139624f0091d98
SSDEEP

6144:eId3g90Y8TN9lvVAb0j/KCVmId3g90Y8TN9lvVAb0j/KCVNv1kox7Z:jqkxr1jqkxr1d1VN

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000FB0000-0x0000000000FEC000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LilithWorker.exe	dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LilithWorker.exe	dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe

C:\Users\Admin\AppData\Local\Temp\dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe
"C:\Users\Admin\AppData\Local\Temp\dabf03c9a26775c251f857f1ed7c3b17e3bfb26bc50d75f135104270b5188067.exe"
1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000FB0000-0x0000000000FEC000-memory.dmp

Filesize
240KB

Download
memory/2400-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-4-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2400-5-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download