Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    13/09/2021, 11:18 UTC

General

  • Target

    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe

  • Size

    80KB

  • MD5

    3d330c6e2e14c3e682aec36e1abeb028

  • SHA1

    59665acd4f6398afb4d5ab515e95a886648f161c

  • SHA256

    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce

  • SHA512

    e4c5b6570d3823f985e5516dbb9917f3c9c3ccd7a780de1e7cd179f7f338f0d0579e62d988898ae7002e774daec3bf6a29d5d87b5e70cb43e6b06ad627e984c3

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    "C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1832
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1420

Network

  • flag-us
    DNS
    phonefix.bar
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    Remote address:
    8.8.8.8:53
    Request
    phonefix.bar
    IN A
    Response
    phonefix.bar
    IN A
    104.21.10.67
    phonefix.bar
    IN A
    172.67.131.66
  • flag-us
    GET
    https://phonefix.bar/api.php?getusers
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    Remote address:
    104.21.10.67:443
    Request
    GET /api.php?getusers HTTP/1.1
    Host: phonefix.bar
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:18:19 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B77KaJsjG7I9MrH%2BJw1rwXOacKyhQmP4USoafNuuI8dvx2dR6efQkrbW3Xpp3vv%2F7gnHphlmHGmP7TecQVDNTPyhob6PKEJMFByMA8Cs37%2Fnl9KzGqBKwlocn7brM8Q%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0f963c9ffc82b-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    GET
    https://phonefix.bar/api.php
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    Remote address:
    104.21.10.67:443
    Request
    GET /api.php HTTP/1.1
    Host: phonefix.bar
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:18:23 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lX65FQy0KDqsK3OLMMAbZnyGo5FUo9Ka7y5ODe3b4SGTEhzlj5EBIMNfNs0MY5YdY6jWLFN79%2BWtUJhe%2BVMVSO3V%2FPhWjO5NToh6HCHOryQ4YB38bYL%2FuSXzUkUU1rs%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0f97c280cc82b-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    POST
    https://phonefix.bar/
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    Remote address:
    104.21.10.67:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=------------------------8d976a8b1920f30
    Host: phonefix.bar
    Content-Length: 3563
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:18:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Yx8Kib4i%2BVdcOiE1i8pmCLUQP5t%2BGSVpATDDOCN2%2B%2FEdGLAFCB9inGGAqagpRcsFanuZfoAaAYGqBWf%2FaHLQwR5xDx7hRPngB%2FDD228rG7udBJrEqC0EQ4ll6hAJraQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0f97f6af0c82b-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • 104.21.10.67:443
    https://phonefix.bar/
    tls, http
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    40.7kB
    2.2MB
    794
    1523

    HTTP Request

    GET https://phonefix.bar/api.php?getusers

    HTTP Response

    200

    HTTP Request

    GET https://phonefix.bar/api.php

    HTTP Response

    200

    HTTP Request

    POST https://phonefix.bar/

    HTTP Response

    200
  • 8.8.8.8:53
    phonefix.bar
    dns
    36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
    58 B
    90 B
    1
    1

    DNS Request

    phonefix.bar

    DNS Response

    104.21.10.67
    172.67.131.66

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1032-53-0x0000000000B30000-0x0000000000B31000-memory.dmp

    Filesize

    4KB

  • memory/1032-55-0x0000000000210000-0x000000000022B000-memory.dmp

    Filesize

    108KB

  • memory/1032-56-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

    Filesize

    4KB

  • memory/1420-58-0x0000000000490000-0x00000000004A8000-memory.dmp

    Filesize

    96KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.