Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
13/09/2021, 11:18
Static task
static1
Behavioral task
behavioral1
Sample
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Resource
win10v20210408
General
-
Target
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
-
Size
80KB
-
MD5
3d330c6e2e14c3e682aec36e1abeb028
-
SHA1
59665acd4f6398afb4d5ab515e95a886648f161c
-
SHA256
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce
-
SHA512
e4c5b6570d3823f985e5516dbb9917f3c9c3ccd7a780de1e7cd179f7f338f0d0579e62d988898ae7002e774daec3bf6a29d5d87b5e70cb43e6b06ad627e984c3
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1420 1032 WerFault.exe 25 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe Token: SeDebugPrivilege 1420 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 18322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1420
-