Analysis
-
max time kernel
83s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en -
submitted
13/09/2021, 11:19
Static task
static1
Behavioral task
behavioral1
Sample
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
Resource
win10-en
General
-
Target
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
-
Size
78KB
-
MD5
a8db62010fc3ff8a86abdf3988646a8c
-
SHA1
247577574d8f60a064b03d9f2a627d0bdbc6d2a6
-
SHA256
cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d
-
SHA512
8234d169c809f91658f88ccb80be1dbae587ff9e0a3e517f4b42ac0f2e4a3be73b77bba787b6ebc55422c2f081b9c07e44f1192d63c90d3837b55597f68b0e1d
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2644 3944 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3944 cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe 2644 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3944 cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe Token: SeRestorePrivilege 2644 WerFault.exe Token: SeBackupPrivilege 2644 WerFault.exe Token: SeDebugPrivilege 2644 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 21202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-