Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en -
submitted
13/09/2021, 11:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Resource
win10-en
General
-
Target
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
-
Size
78KB
-
MD5
a8db62010fc3ff8a86abdf3988646a8c
-
SHA1
247577574d8f60a064b03d9f2a627d0bdbc6d2a6
-
SHA256
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d
-
SHA512
8234d169c809f91658f88ccb80be1dbae587ff9e0a3e517f4b42ac0f2e4a3be73b77bba787b6ebc55422c2f081b9c07e44f1192d63c90d3837b55597f68b0e1d
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2644 3944 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3944 cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3944 cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe Token: SeRestorePrivilege 2644 WerFault.exe Token: SeBackupPrivilege 2644 WerFault.exe Token: SeDebugPrivilege 2644 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 21202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
Network
-
Remote address:8.8.8.8:53Requestphonefix.barIN AResponsephonefix.barIN A172.67.131.66phonefix.barIN A104.21.10.67
-
GEThttps://phonefix.bar/api.php?getuserscb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exeRemote address:172.67.131.66:443RequestGET /api.php?getusers HTTP/1.1
Host: phonefix.bar
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hSa8w%2BzVOgnaQV%2B%2FgAR5ZzIQrvnGR2sMznwr7kGQWijzLl2YqKF23LPP5YrgIGinEwYdMznZGO%2Bs4r3RiSNiJKTJaI3xcDn%2FCn6sxt5GDADVuKS9Z7gX9%2BG%2FpH%2B%2FiQc%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0fb0f0b3b9c9f-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
GEThttps://phonefix.bar/api.phpcb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exeRemote address:172.67.131.66:443RequestGET /api.php HTTP/1.1
Host: phonefix.bar
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GvhwFvx4c%2Fmnw8DbmA0eHmieDXUNVZK%2BuSONOrfS%2B%2B1yEQTSfFr1DEBq0lGGngIQTRFPfnXx211BmeuTmV%2BeOlHTi1SRIPKNhA7fqsQ9HqkT03X0qmY0tPI0UjG2Q5g%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0fb250e7e9c9f-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
Remote address:172.67.131.66:443RequestPOST / HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------------8d976a85a633308
Host: phonefix.bar
Content-Length: 2737
Expect: 100-continue
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
x-powered-by: PHP/7.1.33
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iV2mbDWDIyXOflix7O49Fu%2FQp8Ku4sYXxowVLsrfwrfJujMu55XSegnTlfbP2Ygvu2BNW2wdkJm2VAnxH9FKHQhxghim6REAlMttlcuukY90r%2FUr%2BXgRU8N%2BQ8bSl3Y%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 68e0fb287f159c9f-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
-
172.67.131.66:443https://phonefix.bar/tls, httpcb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe38.2kB 2.2MB 757 1488
HTTP Request
GET https://phonefix.bar/api.php?getusersHTTP Response
200HTTP Request
GET https://phonefix.bar/api.phpHTTP Response
200HTTP Request
POST https://phonefix.bar/HTTP Response
200