Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ee621d8e96...af.exe

windows7_x64

10

ee621d8e96...af.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    13/09/2021, 11:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe

  • Size

    79KB

  • MD5

    2cd5c4ee42e61a0f770d43f8f9ca558f

  • SHA1

    ac2878f25ce42de9d73278a2fecf73565b2f4dfe

  • SHA256

    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af

  • SHA512

    1ca622e5f06b3fb299ddb7658251f580768bc9e45a1ac0a228a7ce1c318dfbd8103eb155137e8c8fb6255b93cbc4fa49f0540b321add9d3a6b82bc776ae1197d

Score
10/10
elysiumstealerdiscoveryspywarestealer

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    stealerelysiumstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    "C:\Users\Admin\AppData\Local\Temp\ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1852
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:440

Network

  • flag-us
    DNS
    phonefix.bar
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    Remote address:
    8.8.8.8:53
    Request
    phonefix.bar
    IN A
    Response
    phonefix.bar
    IN A
    172.67.131.66
    phonefix.bar
    IN A
    104.21.10.67
  • flag-us
    GET
    https://phonefix.bar/api.php?getusers
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    Remote address:
    172.67.131.66:443
    Request
    GET /api.php?getusers HTTP/1.1
    Host: phonefix.bar
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:29 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fsU4uRd4PY5S3R6s23CjVYhapcKsHqBfLrOr%2F692SrYp%2B%2FjwPMP5BHETJ7kDuLtkKQFgp0FWOBMGFZ4p%2FRuprt0HQm4k3pK0rjQ9kwY1LjGMVJBs1OF%2FMBiUJhWuuzE%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb16bf9a0132-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    GET
    https://phonefix.bar/api.php
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    Remote address:
    172.67.131.66:443
    Request
    GET /api.php HTTP/1.1
    Host: phonefix.bar
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:33 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YOML8r9JtzBBh4GUtCgFw5M%2FM8ul01UOC%2FbCY1E6SVoA7GJxGtlMcbPOrzlgSdsg9IzHCeJzubefMgN2Ni6InoXlFm9Vtk%2BPJ3f7VxmA8NGrN0mPausWRAbgzjRWEXk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb327f160132-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    POST
    https://phonefix.bar/
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    Remote address:
    172.67.131.66:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=------------------------8d976a8db2d9c10
    Host: phonefix.bar
    Content-Length: 3568
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:34 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wiaxxuygfuaWGIV7LDvqIhzs3FnZkOjkGdbNhHQYkNm3v4SxKuFD1fmZ0m9i%2Fosd2GB8%2F5Ki%2B4DN0nol76uHFKUJwK2bdcXr8SjNeze2b9J9svAXsur%2FFfJ6ayTaXJg%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb36bc520132-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • 172.67.131.66:443
    https://phonefix.bar/
    tls, http
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    42.7kB
     2.2MB
     836
    1526

    HTTP Request

    GET https://phonefix.bar/api.php?getusers

    HTTP Response

    200

    HTTP Request

    GET https://phonefix.bar/api.php

    HTTP Response

    200

    HTTP Request

    POST https://phonefix.bar/

    HTTP Response

    200
  • 8.8.8.8:53
    phonefix.bar
    dns
    ee621d8e9638c6f298c5d323a7eb5138f6f9c656f8125c692c602422098683af.exe
    58 B
     90 B
     1
    1

    DNS Request

    phonefix.bar

    DNS Response

    172.67.131.66
    104.21.10.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/440-58-0x00000000002F0000-0x0000000000308000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2040-53-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-55-0x00000000008B0000-0x00000000008CB000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2040-56-0x0000000004A20000-0x0000000004A21000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.