eternity | e2309c682f782d178c25ed497026f05e6528bf3de4869ac7d7530a6360895592

General

Target

Silviozas Premium Proxy V3.85984.exe
Size

5.0MB
MD5

628f62f1001ff7705103ab9f5ef5ffd1
SHA1

6748a7dc711fdcf2787f8634a0287ea382cbd690
SHA256

59f927e858a8cdf2330099c7b18b3f74bc6616d67b11e174aab539bd7aff067a
SHA512

6eb4d989dff77528b86c866fe63c088e3c3b67bc01c5017cd9a814aebee96bfd49982d760a093371a2529ef9ee84b65194f98c3ba4f4d11a7e120725d65129c2
SSDEEP

98304:SrjYFpk1kqeK+h2qwqYNorcrLEtwZJJuRWpAFyFSB76Z:C9kqX+QmrcrLm4JMRuS8

Score

10^/10

eternity discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/memory/5064-1-0x0000000000EF0000-0x00000000013EC000-memory.dmp	disable_win_def

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral4/memory/5064-1-0x0000000000EF0000-0x00000000013EC000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Eternity family
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Silviozas Premium Proxy V3.85984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Silviozas Premium Proxy V3.85984.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1928	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Silviozas Premium Proxy V3.85984.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Silviozas Premium Proxy V3.85984.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Silviozas Premium Proxy V3.85984.exe	Silviozas Premium Proxy V3.85984.exe

Executes dropped EXE 2 IoCs

pid	Process
1868	Silviozas Premium Proxy V3.85984.exe
3308	dcd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Silviozas Premium Proxy V3.85984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4276	powershell.exe
1928	powershell.exe
1928	powershell.exe
4276	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	Silviozas Premium Proxy V3.85984.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1868	Silviozas Premium Proxy V3.85984.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 1868	5064	Silviozas Premium Proxy V3.85984.exe	83
PID 5064 wrote to memory of 1868	5064	Silviozas Premium Proxy V3.85984.exe	83
PID 5064 wrote to memory of 3308	5064	Silviozas Premium Proxy V3.85984.exe	85
PID 5064 wrote to memory of 3308	5064	Silviozas Premium Proxy V3.85984.exe	85
PID 5064 wrote to memory of 3308	5064	Silviozas Premium Proxy V3.85984.exe	85
PID 1868 wrote to memory of 3532	1868	Silviozas Premium Proxy V3.85984.exe	86
PID 1868 wrote to memory of 3532	1868	Silviozas Premium Proxy V3.85984.exe	86
PID 1868 wrote to memory of 1380	1868	Silviozas Premium Proxy V3.85984.exe	87
PID 1868 wrote to memory of 1380	1868	Silviozas Premium Proxy V3.85984.exe	87
PID 1380 wrote to memory of 1928	1380	cmd.exe	88
PID 1380 wrote to memory of 1928	1380	cmd.exe	88
PID 5064 wrote to memory of 4276	5064	Silviozas Premium Proxy V3.85984.exe	89
PID 5064 wrote to memory of 4276	5064	Silviozas Premium Proxy V3.85984.exe	89
PID 1868 wrote to memory of 3952	1868	Silviozas Premium Proxy V3.85984.exe	93
PID 1868 wrote to memory of 3952	1868	Silviozas Premium Proxy V3.85984.exe	93
PID 1868 wrote to memory of 4412	1868	Silviozas Premium Proxy V3.85984.exe	95
PID 1868 wrote to memory of 4412	1868	Silviozas Premium Proxy V3.85984.exe	95
PID 4412 wrote to memory of 4324	4412	cmd.exe	96
PID 4412 wrote to memory of 4324	4412	cmd.exe	96
PID 4412 wrote to memory of 4488	4412	cmd.exe	97
PID 4412 wrote to memory of 4488	4412	cmd.exe	97
PID 4412 wrote to memory of 2416	4412	cmd.exe	98
PID 4412 wrote to memory of 2416	4412	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe
"C:\Users\Admin\AppData\Local\Temp\Silviozas Premium Proxy V3.85984.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\uly1qiys.k1i\Silviozas Premium Proxy V3.85984.exe
  "C:\Users\Admin\AppData\Local\Temp\uly1qiys.k1i\Silviozas Premium Proxy V3.85984.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "Add-MpPreference -ExclusionPath 'C:\Users\Public\Proxy_Stuff\Silviozas Premium Proxy.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0A
    3⤵
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\uly1qiys.k1i\Silviozas Premium Proxy V3.85984.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\uly1qiys.k1i\Silviozas Premium Proxy V3.85984.exe" MD5
      4⤵
      PID:4324
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:4488
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2416
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l220kayq.okc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\uly1qiys.k1i\Silviozas Premium Proxy V3.85984.exe

Filesize
2.0MB

MD5
c671cffbc1466d28212399e16035d2c3

SHA1
90037556b5f85796d56de164336dd25d479100f3

SHA256
a01646d5fc27869bc3dc6fc0b291e7abb1915edc945eea648a9ac1d101807c89

SHA512
a7a5ec98ca342b1a16e81f2af813bc6491be2cbc8e16b062ee757a362e0130579b828685551cfc42b7f5495fdd1af15841b5edb9dbd76e89353fafe58423c5a6

Download Submit
memory/1868-55-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-54-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-68-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-62-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-59-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-58-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-24-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/1868-56-0x00007FF7AE4D0000-0x00007FF7AED6E000-memory.dmp

Filesize
8.6MB

Download
memory/4276-31-0x000001BFBAF30000-0x000001BFBAF52000-memory.dmp

Filesize
136KB

Download
memory/5064-2-0x0000000003510000-0x0000000003560000-memory.dmp

Filesize
320KB

Download
memory/5064-1-0x0000000000EF0000-0x00000000013EC000-memory.dmp

Filesize
5.0MB

Download
memory/5064-53-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-6-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-0-0x00007FFE00F33000-0x00007FFE00F35000-memory.dmp

Filesize
8KB

Download
memory/5064-4-0x000000001C400000-0x000000001C642000-memory.dmp

Filesize
2.3MB

Download
memory/5064-23-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-3-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-17-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/5064-14-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads