eternity | e2309c682f782d178c25ed497026f05e6528bf3de4869ac7d7530a6360895592

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silviozas Premium Proxy V3.85984.exe
Size

5.0MB
MD5

628f62f1001ff7705103ab9f5ef5ffd1
SHA1

6748a7dc711fdcf2787f8634a0287ea382cbd690
SHA256

59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a
SHA512

6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2
SSDEEP

98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8

Score

10^/10

eternity evasion execution spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral3/memory/2336-1-0x0000000000B30000-0x000000000102C000-memory.dmp	disable_win_def

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral3/memory/2336-1-0x0000000000B30000-0x000000000102C000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Silviozas Premium Proxy V3.85984.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Silviozas Premium Proxy V3.85984.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	Silviozas Premium Proxy V3.85984.exe
2632	dcd.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	Silviozas Premium Proxy V3.85984.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Silviozas Premium Proxy V3.85984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2732	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	Silviozas Premium Proxy V3.85984.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2840	Silviozas Premium Proxy V3.85984.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2840	2336	Silviozas Premium Proxy V3.85984.exe	30
PID 2336 wrote to memory of 2840	2336	Silviozas Premium Proxy V3.85984.exe	30
PID 2336 wrote to memory of 2840	2336	Silviozas Premium Proxy V3.85984.exe	30
PID 2840 wrote to memory of 2656	2840	Silviozas Premium Proxy V3.85984.exe	32
PID 2840 wrote to memory of 2656	2840	Silviozas Premium Proxy V3.85984.exe	32
PID 2840 wrote to memory of 2656	2840	Silviozas Premium Proxy V3.85984.exe	32
PID 2840 wrote to memory of 2824	2840	Silviozas Premium Proxy V3.85984.exe	33
PID 2840 wrote to memory of 2824	2840	Silviozas Premium Proxy V3.85984.exe	33
PID 2840 wrote to memory of 2824	2840	Silviozas Premium Proxy V3.85984.exe	33
PID 2824 wrote to memory of 2732	2824	cmd.exe	34
PID 2824 wrote to memory of 2732	2824	cmd.exe	34
PID 2824 wrote to memory of 2732	2824	cmd.exe	34
PID 2336 wrote to memory of 2632	2336	Silviozas Premium Proxy V3.85984.exe	35
PID 2336 wrote to memory of 2632	2336	Silviozas Premium Proxy V3.85984.exe	35
PID 2336 wrote to memory of 2632	2336	Silviozas Premium Proxy V3.85984.exe	35
PID 2336 wrote to memory of 2632	2336	Silviozas Premium Proxy V3.85984.exe	35
PID 2840 wrote to memory of 3020	2840	Silviozas Premium Proxy V3.85984.exe	36
PID 2840 wrote to memory of 3020	2840	Silviozas Premium Proxy V3.85984.exe	36
PID 2840 wrote to memory of 3020	2840	Silviozas Premium Proxy V3.85984.exe	36
PID 2840 wrote to memory of 1020	2840	Silviozas Premium Proxy V3.85984.exe	37
PID 2840 wrote to memory of 1020	2840	Silviozas Premium Proxy V3.85984.exe	37
PID 2840 wrote to memory of 1020	2840	Silviozas Premium Proxy V3.85984.exe	37
PID 1020 wrote to memory of 2032	1020	cmd.exe	38
PID 1020 wrote to memory of 2032	1020	cmd.exe	38
PID 1020 wrote to memory of 2032	1020	cmd.exe	38
PID 1020 wrote to memory of 2452	1020	cmd.exe	39
PID 1020 wrote to memory of 2452	1020	cmd.exe	39
PID 1020 wrote to memory of 2452	1020	cmd.exe	39
PID 1020 wrote to memory of 1532	1020	cmd.exe	40
PID 1020 wrote to memory of 1532	1020	cmd.exe	40
PID 1020 wrote to memory of 1532	1020	cmd.exe	40
PID 2336 wrote to memory of 2896	2336	Silviozas Premium Proxy V3.85984.exe	41
PID 2336 wrote to memory of 2896	2336	Silviozas Premium Proxy V3.85984.exe	41
PID 2336 wrote to memory of 2896	2336	Silviozas Premium Proxy V3.85984.exe	41
PID 2336 wrote to memory of 1996	2336	Silviozas Premium Proxy V3.85984.exe	43
PID 2336 wrote to memory of 1996	2336	Silviozas Premium Proxy V3.85984.exe	43
PID 2336 wrote to memory of 1996	2336	Silviozas Premium Proxy V3.85984.exe	43

C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe
"C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\u3hb21su.w45\Silviozas Premium Proxy V3.85984.exe
  "C:\Users\Admin\AppData\Local\Temp\u3hb21su.w45\Silviozas Premium Proxy V3.85984.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\u3hb21su.w45\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\u3hb21su.w45\Silviozas Premium Proxy V3.85984.exe" MD5
      4⤵
      PID:2032
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2452
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1532
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2336 -s 1868
  2⤵
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3hb21su.w45\Silviozas Premium Proxy V3.85984.exe

Filesize
2.0MB

MD5
c671cffbc1466d28212399e16035d2c3

SHA1
90037556b5f85796d56de164336dd25d479100f3

SHA256
a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89

SHA512
a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a8cf0d17dfff1953a7ba32ee89b8038

SHA1
faf537c59f9207a6a47b93b37b1ce176f5088eab

SHA256
da772771503a1103c29e9842012365153cfc386190861e059c7d115278d18df2

SHA512
db00926acdda7b171706dda4466d5d994d7fdbc90bc5cc45f94737cc867732fdd63c0661827dd5ecaedaa8104003718947ce248035b10059b37e505eccd123d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HKE5XE114VZP0V1CXVXI.temp

Filesize
7KB

MD5
f42f6dea76d6a2c09f5a4767bbce8c57

SHA1
721b3344106766adb328dc52e25683c1d8624cad

SHA256
21f1f8bdd4a28e11905f71241d15c767e9ad056456682942ef54589ae2474e28

SHA512
e2be6438c5d3bf772edf2d972a4e41df5f47401d4ce541601f2ff4b9b55e93d5e81b77141573d7797088c00355eb267d0392ef0b5f1b5434d50dd0e6267e307d

Download Submit
memory/2336-38-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x0000000000B30000-0x000000000102C000-memory.dmp

Filesize
5.0MB

Download
memory/2336-10-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-11-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

Filesize
4KB

Download
memory/2336-13-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2336-5-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-3-0x000000001BAB0000-0x000000001BCF2000-memory.dmp

Filesize
2.3MB

Download
memory/2732-21-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2732-22-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2840-16-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2840-12-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-39-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-40-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-41-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2840-42-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-43-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-46-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-48-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2840-53-0x000000013F9F0000-0x000000014028E000-memory.dmp

Filesize
8.6MB

Download
memory/2896-34-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2896-35-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download