Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    83s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    13/09/2021, 11:19 UTC

General

  • Target

    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe

  • Size

    78KB

  • MD5

    a8db62010fc3ff8a86abdf3988646a8c

  • SHA1

    247577574d8f60a064b03d9f2a627d0bdbc6d2a6

  • SHA256

    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d

  • SHA512

    8234d169c809f91658f88ccb80be1dbae587ff9e0a3e517f4b42ac0f2e4a3be73b77bba787b6ebc55422c2f081b9c07e44f1192d63c90d3837b55597f68b0e1d

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    "C:\Users\Admin\AppData\Local\Temp\cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 2120
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644

Network

  • flag-us
    DNS
    phonefix.bar
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    Remote address:
    8.8.8.8:53
    Request
    phonefix.bar
    IN A
    Response
    phonefix.bar
    IN A
    172.67.131.66
    phonefix.bar
    IN A
    104.21.10.67
  • flag-us
    GET
    https://phonefix.bar/api.php?getusers
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    Remote address:
    172.67.131.66:443
    Request
    GET /api.php?getusers HTTP/1.1
    Host: phonefix.bar
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:27 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hSa8w%2BzVOgnaQV%2B%2FgAR5ZzIQrvnGR2sMznwr7kGQWijzLl2YqKF23LPP5YrgIGinEwYdMznZGO%2Bs4r3RiSNiJKTJaI3xcDn%2FCn6sxt5GDADVuKS9Z7gX9%2BG%2FpH%2B%2FiQc%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb0f0b3b9c9f-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    GET
    https://phonefix.bar/api.php
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    Remote address:
    172.67.131.66:443
    Request
    GET /api.php HTTP/1.1
    Host: phonefix.bar
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:31 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GvhwFvx4c%2Fmnw8DbmA0eHmieDXUNVZK%2BuSONOrfS%2B%2B1yEQTSfFr1DEBq0lGGngIQTRFPfnXx211BmeuTmV%2BeOlHTi1SRIPKNhA7fqsQ9HqkT03X0qmY0tPI0UjG2Q5g%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb250e7e9c9f-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • flag-us
    POST
    https://phonefix.bar/
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    Remote address:
    172.67.131.66:443
    Request
    POST / HTTP/1.1
    Content-Type: multipart/form-data; boundary=------------------------8d976a85a633308
    Host: phonefix.bar
    Content-Length: 2737
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Mon, 13 Sep 2021 11:19:32 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    x-powered-by: PHP/7.1.33
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iV2mbDWDIyXOflix7O49Fu%2FQp8Ku4sYXxowVLsrfwrfJujMu55XSegnTlfbP2Ygvu2BNW2wdkJm2VAnxH9FKHQhxghim6REAlMttlcuukY90r%2FUr%2BXgRU8N%2BQ8bSl3Y%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 68e0fb287f159c9f-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
  • 172.67.131.66:443
    https://phonefix.bar/
    tls, http
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    38.2kB
    2.2MB
    757
    1488

    HTTP Request

    GET https://phonefix.bar/api.php?getusers

    HTTP Response

    200

    HTTP Request

    GET https://phonefix.bar/api.php

    HTTP Response

    200

    HTTP Request

    POST https://phonefix.bar/

    HTTP Response

    200
  • 8.8.8.8:53
    phonefix.bar
    dns
    cb129cd67225cb40c544eab07466be9305132fc9607214174b48f4167e0b6b3d.exe
    58 B
    90 B
    1
    1

    DNS Request

    phonefix.bar

    DNS Response

    172.67.131.66
    104.21.10.67

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3944-117-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

  • memory/3944-119-0x0000000000CE0000-0x0000000000CFB000-memory.dmp

    Filesize

    108KB

  • memory/3944-120-0x0000000004B60000-0x0000000004B61000-memory.dmp

    Filesize

    4KB

  • memory/3944-121-0x0000000007B80000-0x0000000007B81000-memory.dmp

    Filesize

    4KB

  • memory/3944-122-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

    Filesize

    4KB

  • memory/3944-123-0x0000000008470000-0x0000000008471000-memory.dmp

    Filesize

    4KB

  • memory/3944-124-0x0000000008210000-0x0000000008211000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.