Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

e8ba766bb9...3b.exe

windows7_x64

10

e8ba766bb9...3b.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    13/09/2021, 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8ba766bb902971b556242a4cfef730a9d5e1913086fafd328740f85faf1963b.exe

  • Size

    80KB

  • MD5

    f46064337e616b027b70c51992514a6e

  • SHA1

    9a589a670c141bcc1a7e923376b34b65f41c39db

  • SHA256

    e8ba766bb902971b556242a4cfef730a9d5e1913086fafd328740f85faf1963b

  • SHA512

    163e771afc967f93b27ac6d84ef804d934cc7f707f007893c69d73a81f161d6bd7937b97598ae8e2eca7193a23cc3af1637ddc5c2fcf9a5a0e33120c6453d21a

Score
10/10
elysiumstealerdiscoveryspywarestealer

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8ba766bb902971b556242a4cfef730a9d5e1913086fafd328740f85faf1963b.exe
    "C:\Users\Admin\AppData\Local\Temp\e8ba766bb902971b556242a4cfef730a9d5e1913086fafd328740f85faf1963b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2072
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4700-115-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4700-117-0x0000000000A30000-0x0000000000A4B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4700-118-0x0000000000A60000-0x0000000000A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4700-119-0x0000000007640000-0x0000000007641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4700-120-0x0000000007A70000-0x0000000007A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4700-121-0x0000000008010000-0x0000000008011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4700-122-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

    Filesize

    4KB

    Download