Analysis

  • max time kernel
    154s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 03:06

General

  • Target

    91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe

  • Size

    2.0MB

  • MD5

    dc4987d67367520d42467a4c74ccbd7d

  • SHA1

    1f86f81c05502bed9a28768757515dcb43fa6fb0

  • SHA256

    91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c

  • SHA512

    c8922242702410a508dd3e73e5db8e498fd635671ed51b468164e9003a603f9446980061a4ba34260aeb9fc4072e68af6ed6cbe77fefca641329a97097a3a5f1

Malware Config

Signatures

  • ElysiumStealer

    ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

  • ElysiumStealer Payload 3 IoCs
  • ElysiumStealer Support DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe
    "C:\Users\Admin\AppData\Local\Temp\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Users\Admin\AppData\Local\Temp\3582-490\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1092
        3⤵
        • Program crash
        PID:2296
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4876 -ip 4876
    1⤵
      PID:4724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe

      Filesize

      2.0MB

      MD5

      328363afedfb05a045788fc37273ab0b

      SHA1

      38a3e9d74af2b746382c8fab5666cac1b0300297

      SHA256

      ee7666c6cd823b082bfd9ecc8fe2c090e23e4882da3759c3d07bd5d8ade47790

      SHA512

      5db66eb7275c6f127117dc25612dc3fbd3ffc129057498ae2fe125526b95cf17e3a4fe56f58d72c10ec21c54e13a9aac182c3c35727219fa0f86f4e030d8f448

    • C:\Users\Admin\AppData\Local\Temp\3582-490\91da0c134350b0c47432593bf1d6d09bab05aa076c94c16cea90404fadbfed7c.exe

      Filesize

      2.0MB

      MD5

      328363afedfb05a045788fc37273ab0b

      SHA1

      38a3e9d74af2b746382c8fab5666cac1b0300297

      SHA256

      ee7666c6cd823b082bfd9ecc8fe2c090e23e4882da3759c3d07bd5d8ade47790

      SHA512

      5db66eb7275c6f127117dc25612dc3fbd3ffc129057498ae2fe125526b95cf17e3a4fe56f58d72c10ec21c54e13a9aac182c3c35727219fa0f86f4e030d8f448

    • C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

      Filesize

      40KB

      MD5

      94173de2e35aa8d621fc1c4f54b2a082

      SHA1

      fbb2266ee47f88462560f0370edb329554cd5869

      SHA256

      7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

      SHA512

      cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

    • memory/4876-130-0x0000000000000000-mapping.dmp

    • memory/4876-133-0x0000000000140000-0x0000000000344000-memory.dmp

      Filesize

      2.0MB

    • memory/4876-135-0x0000000004DA0000-0x0000000004E3C000-memory.dmp

      Filesize

      624KB

    • memory/4876-136-0x0000000005480000-0x0000000005A24000-memory.dmp

      Filesize

      5.6MB

    • memory/4876-137-0x0000000004F70000-0x0000000005002000-memory.dmp

      Filesize

      584KB

    • memory/4876-138-0x0000000004E40000-0x0000000004E4A000-memory.dmp

      Filesize

      40KB

    • memory/4876-139-0x0000000004ED0000-0x0000000004F26000-memory.dmp

      Filesize

      344KB