Overview

overview

10

Static

static

2468852.exe

windows7_x64

7

2468852.exe

windows10_x64

7

4422625.exe

windows7_x64

10

4422625.exe

windows10_x64

10

4701556.exe

windows7_x64

8

4701556.exe

windows10_x64

8

8383001.exe

windows7_x64

10

8383001.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    12-08-2021 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8383001.exe

  • Size

    181KB

  • MD5

    36acd7e8f309426cb30aeda6c58234a6

  • SHA1

    e111555e3324dcb03fda2b03fd4f765dec10ee75

  • SHA256

    d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

  • SHA512

    62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

Score
10/10
discoveryspywarestealersuricata

Malware Config

Signatures

  • suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)

    suricata
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8383001.exe
    "C:\Users\Admin\AppData\Local\Temp\8383001.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1948
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/980-60-0x0000000000E40000-0x0000000000E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/980-62-0x0000000000660000-0x000000000068B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/980-63-0x0000000000A90000-0x0000000000A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1600-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1600-65-0x0000000000440000-0x0000000000441000-memory.dmp

    Filesize

    4KB

    Download