Analysis
-
max time kernel
300s -
max time network
282s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
BTRSetp.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
BTRSetp.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
BTRSetp.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
BTRSetp.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
BTRSetp.exe
Resource
win7v20201028
General
-
Target
BTRSetp.exe
-
Size
258KB
-
MD5
1165ce455c6ff9ad6c27e49a8094b069
-
SHA1
3ba061200d28f39ce95a2d493d26c8eb54160e85
-
SHA256
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
-
SHA512
dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload 3 IoCs
Processes:
resource yara_rule C:\ProgramData\4483664.49 elysiumstealer C:\ProgramData\4483664.49 elysiumstealer behavioral2/memory/788-38-0x0000000004E20000-0x0000000004E26000-memory.dmp elysiumstealer -
ElysiumStealer Support DLL 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll elysiumstealer_dll -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2576-74-0x0000000140000000-0x0000000140B75000-memory.dmp xmrig -
Executes dropped EXE 6 IoCs
Processes:
8210900.90187176.23041601.334483664.49Windows Host.exeDriver.exepid process 3228 8210900.90 3612 187176.2 2936 3041601.33 788 4483664.49 3848 Windows Host.exe 2576 Driver.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3041601.33description ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3041601.33 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3041601.33 -
Drops startup file 1 IoCs
Processes:
3041601.33description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 3041601.33 -
Loads dropped DLL 1 IoCs
Processes:
4483664.49pid process 788 4483664.49 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\ProgramData\3041601.33 themida C:\ProgramData\3041601.33 themida behavioral2/memory/2936-48-0x0000000000CB0000-0x0000000000CB1000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
187176.23041601.33description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 187176.2 Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\3041601.33" 3041601.33 -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
3041601.33description ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3041601.33 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3041601.33pid process 2936 3041601.33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8210900.904483664.493041601.33pid process 3228 8210900.90 788 4483664.49 3228 8210900.90 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 2936 3041601.33 -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
BTRSetp.exe8210900.904483664.493041601.33Driver.exedescription pid process Token: SeDebugPrivilege 648 BTRSetp.exe Token: SeDebugPrivilege 3228 8210900.90 Token: SeDebugPrivilege 788 4483664.49 Token: SeDebugPrivilege 2936 3041601.33 Token: SeLockMemoryPrivilege 2576 Driver.exe Token: SeLockMemoryPrivilege 2576 Driver.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
BTRSetp.exe187176.23041601.33description pid process target process PID 648 wrote to memory of 3228 648 BTRSetp.exe 8210900.90 PID 648 wrote to memory of 3228 648 BTRSetp.exe 8210900.90 PID 648 wrote to memory of 3228 648 BTRSetp.exe 8210900.90 PID 648 wrote to memory of 3612 648 BTRSetp.exe 187176.2 PID 648 wrote to memory of 3612 648 BTRSetp.exe 187176.2 PID 648 wrote to memory of 3612 648 BTRSetp.exe 187176.2 PID 648 wrote to memory of 2936 648 BTRSetp.exe 3041601.33 PID 648 wrote to memory of 2936 648 BTRSetp.exe 3041601.33 PID 648 wrote to memory of 2936 648 BTRSetp.exe 3041601.33 PID 648 wrote to memory of 788 648 BTRSetp.exe 4483664.49 PID 648 wrote to memory of 788 648 BTRSetp.exe 4483664.49 PID 648 wrote to memory of 788 648 BTRSetp.exe 4483664.49 PID 3612 wrote to memory of 3848 3612 187176.2 Windows Host.exe PID 3612 wrote to memory of 3848 3612 187176.2 Windows Host.exe PID 3612 wrote to memory of 3848 3612 187176.2 Windows Host.exe PID 2936 wrote to memory of 2576 2936 3041601.33 Driver.exe PID 2936 wrote to memory of 2576 2936 3041601.33 Driver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\BTRSetp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\8210900.90"C:\ProgramData\8210900.90"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\187176.2"C:\ProgramData\187176.2"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\3041601.33"C:\ProgramData\3041601.33"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\4483664.49"C:\ProgramData\4483664.49"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\187176.2MD5
f7a040bef124bb5716718b77c788cbf4
SHA10ad2f39ab5786a0c918b70cd0ed5c97ffb828a18
SHA2562b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea
SHA512bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8
-
C:\ProgramData\187176.2MD5
f7a040bef124bb5716718b77c788cbf4
SHA10ad2f39ab5786a0c918b70cd0ed5c97ffb828a18
SHA2562b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea
SHA512bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8
-
C:\ProgramData\3041601.33MD5
880fd252bc4e801e6170002efb6aef4d
SHA1b10c102503f73acc57fc14326108e300fa94f8f5
SHA2569157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911
SHA51291071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2
-
C:\ProgramData\3041601.33MD5
880fd252bc4e801e6170002efb6aef4d
SHA1b10c102503f73acc57fc14326108e300fa94f8f5
SHA2569157304786300c4f67a767995b5432d524e18243642c8dc5f96a44b4792ae911
SHA51291071cd35e463d06f42c1cfb80be89a4fb8749f4936e699080ff0088281a3483c03f19beefd8f9ab403364475327e15b5ee65162a917f7a47b162a8105fc40a2
-
C:\ProgramData\4483664.49MD5
02d586b2b772f5bf3ff9068d03a7f9c1
SHA164f09d1f6ae801bfda1f782a14dcb08c1a2518f7
SHA256a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9
SHA5123c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993
-
C:\ProgramData\4483664.49MD5
02d586b2b772f5bf3ff9068d03a7f9c1
SHA164f09d1f6ae801bfda1f782a14dcb08c1a2518f7
SHA256a078e95bd8f961433ccb7465a866efffa4e1d23c6c1dceece246928133762bc9
SHA5123c927b3b2b0b29b3f4ba06eaa18159e51ec4d1b45bbaae54f7a7bc37428b89127c8c6e14515be1221cbe938bc5adc5efd0fc77d855c8da52e5a6e4a0531cc993
-
C:\ProgramData\8210900.90MD5
2586f08dfe627ea31b60e5d95abf6e73
SHA1413320766fcc45a353c4d6c68647b48600580575
SHA2563307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480
SHA512851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a
-
C:\ProgramData\8210900.90MD5
2586f08dfe627ea31b60e5d95abf6e73
SHA1413320766fcc45a353c4d6c68647b48600580575
SHA2563307ac37e52543cc7fa8e86732aade60a666eabcb47d5337378c7f11d5636480
SHA512851bf6a564dd4d53af408324edb6db7fdf7491ef08a71057733ca7cfa5df7f9a1145adfddb49b6cc7aa8418ec56e4d8e9a8bd1c29a26f9f2e2147e66f56ce81a
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
f7a040bef124bb5716718b77c788cbf4
SHA10ad2f39ab5786a0c918b70cd0ed5c97ffb828a18
SHA2562b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea
SHA512bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
f7a040bef124bb5716718b77c788cbf4
SHA10ad2f39ab5786a0c918b70cd0ed5c97ffb828a18
SHA2562b33279027a6c62d717f3c2875bbc7fcc323801265baadca4fa0fba619b677ea
SHA512bb5af9692c5ca5bc76dd987ab15280cfec7ed05cfce5d8add4ae3b68f77e516b3cd8fb3ae02cdbeae62cb6a1db4c9b25e462f8f9c16e95daa50a6001d125a7f8
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exeMD5
02569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exeMD5
02569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dllMD5
94173de2e35aa8d621fc1c4f54b2a082
SHA1fbb2266ee47f88462560f0370edb329554cd5869
SHA2567e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798
-
memory/648-7-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/648-11-0x000000001B1F0000-0x000000001B1F2000-memory.dmpFilesize
8KB
-
memory/648-6-0x0000000000C80000-0x0000000000CB3000-memory.dmpFilesize
204KB
-
memory/648-2-0x00007FF8522D0000-0x00007FF852CBC000-memory.dmpFilesize
9.9MB
-
memory/648-5-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/648-3-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/788-33-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/788-43-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/788-66-0x0000000006340000-0x0000000006341000-memory.dmpFilesize
4KB
-
memory/788-61-0x0000000005B70000-0x0000000005B71000-memory.dmpFilesize
4KB
-
memory/788-28-0x0000000000000000-mapping.dmp
-
memory/788-38-0x0000000004E20000-0x0000000004E26000-memory.dmpFilesize
24KB
-
memory/788-36-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/2576-75-0x00000000001E0000-0x0000000000200000-memory.dmpFilesize
128KB
-
memory/2576-76-0x00000000004D0000-0x00000000004F0000-memory.dmpFilesize
128KB
-
memory/2576-69-0x0000000000000000-mapping.dmp
-
memory/2576-72-0x00000000001B0000-0x00000000001C4000-memory.dmpFilesize
80KB
-
memory/2576-74-0x0000000140000000-0x0000000140B75000-memory.dmpFilesize
11.5MB
-
memory/2936-46-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2936-42-0x0000000077E24000-0x0000000077E25000-memory.dmpFilesize
4KB
-
memory/2936-21-0x0000000000000000-mapping.dmp
-
memory/2936-48-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/2936-73-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/3228-26-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/3228-41-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/3228-39-0x000000000A5D0000-0x000000000A604000-memory.dmpFilesize
208KB
-
memory/3228-17-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/3228-8-0x0000000000000000-mapping.dmp
-
memory/3228-16-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/3228-24-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/3612-31-0x000000000A610000-0x000000000A611000-memory.dmpFilesize
4KB
-
memory/3612-15-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/3612-10-0x0000000000000000-mapping.dmp
-
memory/3612-19-0x00000000008B0000-0x00000000008B1000-memory.dmpFilesize
4KB
-
memory/3612-35-0x000000000A570000-0x000000000A571000-memory.dmpFilesize
4KB
-
memory/3612-25-0x00000000012D0000-0x00000000012D1000-memory.dmpFilesize
4KB
-
memory/3612-29-0x000000000AA30000-0x000000000AA31000-memory.dmpFilesize
4KB
-
memory/3612-27-0x00000000012F0000-0x00000000012FD000-memory.dmpFilesize
52KB
-
memory/3848-60-0x000000000E8A0000-0x000000000E8A1000-memory.dmpFilesize
4KB
-
memory/3848-59-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3848-50-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/3848-45-0x0000000000000000-mapping.dmp