Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    109s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02/05/2022, 15:13 UTC

General

  • Target

    f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe

  • Size

    242KB

  • MD5

    36885e55a22987da6f4d8009e9ad7d8b

  • SHA1

    139e95d227e908f40bed43de59aeeb6bd9358d88

  • SHA256

    f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd

  • SHA512

    e791cd9d634532ddbf2f265de65424896f7615ec2e0e56f78220494139299a084d7b61ec54624e10dc09af46b1d708f2a812e3e4a0a21ba31e2bb713a8b95a06

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
    "C:\Users\Admin\AppData\Local\Temp\f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4564
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1748
      2⤵
      • Program crash
      PID:4216
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4564 -ip 4564
    1⤵
      PID:4880

    Network

    • flag-us
      DNS
      t4p.xyz
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      Remote address:
      8.8.8.8:53
      Request
      t4p.xyz
      IN A
      Response
      t4p.xyz
      IN A
      52.58.78.16
    • flag-de
      GET
      http://t4p.xyz/api.php?getusers
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      Remote address:
      52.58.78.16:80
      Request
      GET /api.php?getusers HTTP/1.1
      Host: t4p.xyz
      Connection: Keep-Alive
    • flag-de
      GET
      http://t4p.xyz/api.php?getusers
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      Remote address:
      52.58.78.16:80
      Request
      GET /api.php?getusers HTTP/1.1
      Host: t4p.xyz
      Connection: Keep-Alive
    • flag-de
      GET
      http://t4p.xyz/api.php
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      Remote address:
      52.58.78.16:80
      Request
      GET /api.php HTTP/1.1
      Host: t4p.xyz
      Connection: Keep-Alive
    • flag-de
      GET
      http://t4p.xyz/api.php
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      Remote address:
      52.58.78.16:80
      Request
      GET /api.php HTTP/1.1
      Host: t4p.xyz
      Connection: Keep-Alive
    • 87.248.202.1:80
      46 B
      40 B
      1
      1
    • 67.24.25.254:80
      322 B
      7
    • 52.58.78.16:80
      http://t4p.xyz/api.php?getusers
      http
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      303 B
      172 B
      5
      4

      HTTP Request

      GET http://t4p.xyz/api.php?getusers
    • 52.58.78.16:80
      http://t4p.xyz/api.php?getusers
      http
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      303 B
      172 B
      5
      4

      HTTP Request

      GET http://t4p.xyz/api.php?getusers
    • 52.58.78.16:80
      http://t4p.xyz/api.php
      http
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      294 B
      172 B
      5
      4

      HTTP Request

      GET http://t4p.xyz/api.php
    • 52.58.78.16:80
      http://t4p.xyz/api.php
      http
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      294 B
      172 B
      5
      4

      HTTP Request

      GET http://t4p.xyz/api.php
    • 20.189.173.12:443
      322 B
      7
    • 8.238.20.126:80
      322 B
      7
    • 8.238.20.126:80
      322 B
      7
    • 8.238.20.126:80
      322 B
      7
    • 8.8.8.8:53
      t4p.xyz
      dns
      f4d3735a7a8d57ed6cc7c55a4204444ba4130624a5aa5b9351899e232c34f1bd.exe
      53 B
      69 B
      1
      1

      DNS Request

      t4p.xyz

      DNS Response

      52.58.78.16

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4564-130-0x0000000000C90000-0x0000000000CD6000-memory.dmp

      Filesize

      280KB

    • memory/4564-131-0x00000000084A0000-0x0000000008506000-memory.dmp

      Filesize

      408KB

    • memory/4564-132-0x00000000087B0000-0x0000000008842000-memory.dmp

      Filesize

      584KB

    • memory/4564-133-0x0000000008E00000-0x00000000093A4000-memory.dmp

      Filesize

      5.6MB

    • memory/4564-134-0x0000000008BD0000-0x0000000008C6C000-memory.dmp

      Filesize

      624KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.