eternity | e2309c682f782d178c25ed497026f05e6528bf3de4869ac7d7530a6360895592

Analysis

max time kernel
63s
max time network
64s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silvestras Premium Proxy.zip
Size

4.6MB
MD5

c896589cb776f360eb2b6f145f3f53f2
SHA1

5660dfaeeda5ff7594b8b3ea68e290331364b33a
SHA256

e2309c682f782d178c25ed497026f05e6528bf3de4869ac7d7530a6360895592
SHA512

c1c12a77f8bdb89a8a5e442317444e087513b66321822961b14e2c63818932ed6d36b3dd1057622c03325d7085488199e2243d3f5b3f92f3d15d5fefa7edb20b
SSDEEP

98304:jNQB3kVkq8KsLyQgIElkFF2dDix2dfPkDgvm3mDWx7ykyUQ:jNZkqxsW+FU1I6fcDYWVyUQ

Score

10^/10

eternity evasion execution spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0035000000016334-4.dat	disable_win_def
behavioral1/memory/2700-11-0x0000000000BC0000-0x00000000010BC000-memory.dmp	disable_win_def
behavioral1/memory/2700-18-0x000000013FBE0000-0x000000014047E000-memory.dmp	disable_win_def
behavioral1/memory/2700-44-0x000000013FBE0000-0x000000014047E000-memory.dmp	disable_win_def

Detects Eternity stealer 4 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0035000000016334-4.dat	eternity_stealer
behavioral1/memory/2700-11-0x0000000000BC0000-0x00000000010BC000-memory.dmp	eternity_stealer
behavioral1/memory/2700-18-0x000000013FBE0000-0x000000014047E000-memory.dmp	eternity_stealer
behavioral1/memory/2700-44-0x000000013FBE0000-0x000000014047E000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Silviozas Premium Proxy V3.85984.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Silviozas Premium Proxy V3.85984.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Silviozas Premium Proxy V3.85984.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe

Executes dropped EXE 3 IoCs

pid	Process
2700	Silviozas Premium Proxy V3.85984.exe
1980	Silviozas Premium Proxy V3.85984.exe
2284	dcd.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	Silviozas Premium Proxy V3.85984.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Silviozas Premium Proxy V3.85984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2108	powershell.exe
2944	powershell.exe
2116	7zFM.exe
2116	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2116	7zFM.exe
Token: 35	2116	7zFM.exe
Token: SeSecurityPrivilege	2116	7zFM.exe
Token: SeDebugPrivilege	2700	Silviozas Premium Proxy V3.85984.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1980	Silviozas Premium Proxy V3.85984.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2116	7zFM.exe
2116	7zFM.exe
2116	7zFM.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2700	2116	7zFM.exe	30
PID 2116 wrote to memory of 2700	2116	7zFM.exe	30
PID 2116 wrote to memory of 2700	2116	7zFM.exe	30
PID 2700 wrote to memory of 1980	2700	Silviozas Premium Proxy V3.85984.exe	31
PID 2700 wrote to memory of 1980	2700	Silviozas Premium Proxy V3.85984.exe	31
PID 2700 wrote to memory of 1980	2700	Silviozas Premium Proxy V3.85984.exe	31
PID 1980 wrote to memory of 2612	1980	Silviozas Premium Proxy V3.85984.exe	33
PID 1980 wrote to memory of 2612	1980	Silviozas Premium Proxy V3.85984.exe	33
PID 1980 wrote to memory of 2612	1980	Silviozas Premium Proxy V3.85984.exe	33
PID 1980 wrote to memory of 2156	1980	Silviozas Premium Proxy V3.85984.exe	34
PID 1980 wrote to memory of 2156	1980	Silviozas Premium Proxy V3.85984.exe	34
PID 1980 wrote to memory of 2156	1980	Silviozas Premium Proxy V3.85984.exe	34
PID 2156 wrote to memory of 2108	2156	cmd.exe	35
PID 2156 wrote to memory of 2108	2156	cmd.exe	35
PID 2156 wrote to memory of 2108	2156	cmd.exe	35
PID 1980 wrote to memory of 1152	1980	Silviozas Premium Proxy V3.85984.exe	36
PID 1980 wrote to memory of 1152	1980	Silviozas Premium Proxy V3.85984.exe	36
PID 1980 wrote to memory of 1152	1980	Silviozas Premium Proxy V3.85984.exe	36
PID 1980 wrote to memory of 1296	1980	Silviozas Premium Proxy V3.85984.exe	37
PID 1980 wrote to memory of 1296	1980	Silviozas Premium Proxy V3.85984.exe	37
PID 1980 wrote to memory of 1296	1980	Silviozas Premium Proxy V3.85984.exe	37
PID 1296 wrote to memory of 1856	1296	cmd.exe	38
PID 1296 wrote to memory of 1856	1296	cmd.exe	38
PID 1296 wrote to memory of 1856	1296	cmd.exe	38
PID 1296 wrote to memory of 3020	1296	cmd.exe	39
PID 1296 wrote to memory of 3020	1296	cmd.exe	39
PID 1296 wrote to memory of 3020	1296	cmd.exe	39
PID 1296 wrote to memory of 3024	1296	cmd.exe	40
PID 1296 wrote to memory of 3024	1296	cmd.exe	40
PID 1296 wrote to memory of 3024	1296	cmd.exe	40
PID 2700 wrote to memory of 2284	2700	Silviozas Premium Proxy V3.85984.exe	41
PID 2700 wrote to memory of 2284	2700	Silviozas Premium Proxy V3.85984.exe	41
PID 2700 wrote to memory of 2284	2700	Silviozas Premium Proxy V3.85984.exe	41
PID 2700 wrote to memory of 2284	2700	Silviozas Premium Proxy V3.85984.exe	41
PID 2700 wrote to memory of 2944	2700	Silviozas Premium Proxy V3.85984.exe	42
PID 2700 wrote to memory of 2944	2700	Silviozas Premium Proxy V3.85984.exe	42
PID 2700 wrote to memory of 2944	2700	Silviozas Premium Proxy V3.85984.exe	42
PID 2700 wrote to memory of 1732	2700	Silviozas Premium Proxy V3.85984.exe	44
PID 2700 wrote to memory of 1732	2700	Silviozas Premium Proxy V3.85984.exe	44
PID 2700 wrote to memory of 1732	2700	Silviozas Premium Proxy V3.85984.exe	44

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Silvestras Premium Proxy.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\7zO4480B767\Silviozas Premium Proxy V3.85984.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4480B767\Silviozas Premium Proxy V3.85984.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\ihbqexyo.f5h\Silviozas Premium Proxy V3.85984.exe
    "C:\Users\Admin\AppData\Local\Temp\ihbqexyo.f5h\Silviozas Premium Proxy V3.85984.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 0A
      4⤵
      PID:2612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 0A
      4⤵
      PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ihbqexyo.f5h\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\system32\certutil.exe
        
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ihbqexyo.f5h\Silviozas Premium Proxy V3.85984.exe" MD5
        5⤵
        
        PID:1856
    - - C:\Windows\system32\find.exe
        
        find /i /v "md5"
        5⤵
        
        PID:3020
    - - C:\Windows\system32\find.exe
        
        find /i /v "certutil"
        5⤵
        
        PID:3024
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2700 -s 1872
    3⤵
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4480B767\Silviozas Premium Proxy V3.85984.exe

Filesize
5.0MB

MD5
628f62f1001ff7705103ab9f5ef5ffd1

SHA1
6748a7dc711fdcf2787f8634a0287ea382cbd690

SHA256
59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a

SHA512
6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihbqexyo.f5h\Silviozas Premium Proxy V3.85984.exe

Filesize
2.0MB

MD5
c671cffbc1466d28212399e16035d2c3

SHA1
90037556b5f85796d56de164336dd25d479100f3

SHA256
a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89

SHA512
a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
795c22895ec93d3c2c29e7337f7fc2b2

SHA1
d7f565cc8344187c91fbad29a0c78fe4b84bf3e8

SHA256
9e1b0cfb9004dc99d977396cd77326ff9c218c872046e647a5c00d310dd49124

SHA512
1937691742942cc25fbe46dbe2d72d68a1a47d3a58f4cbe7ef91f23634faa20c2a70012e9123b78001391a0c46340bbddad62e28e6fff7cc56b73998e17faed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NSJFXJZI0X53Y67F1R8K.temp

Filesize
7KB

MD5
918169f679b9df348a55be2db814e409

SHA1
da1a3824c70b81b500e0d019e9f29719c4675998

SHA256
c85d0d9a28dccc4e3285a94af61c790c26ca6ea79110b5ccd66bc4824a8d1acf

SHA512
6f2d440cde61b369f11305a0e94c401d3a638001844f974d50f345b4173b4dd3c738b6f9b8672132a96a3032cc53e831602edec332d829662627ed10d33124de

Download Submit
memory/1980-49-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/1980-48-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/1980-19-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/1980-47-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1980-21-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1980-45-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/2108-28-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2108-27-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2700-44-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/2700-18-0x000000013FBE0000-0x000000014047E000-memory.dmp

Filesize
8.6MB

Download
memory/2700-12-0x000000001BDC0000-0x000000001C002000-memory.dmp

Filesize
2.3MB

Download
memory/2700-11-0x0000000000BC0000-0x00000000010BC000-memory.dmp

Filesize
5.0MB

Download
memory/2944-40-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2944-41-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download