Analysis
-
max time kernel
78s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 14:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe
Resource
win10v2004-20220812-en
General
-
Target
https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer payload 10 IoCs
resource yara_rule behavioral1/files/0x000a00000001200b-54.dat elysiumstealer behavioral1/files/0x000a00000001200b-55.dat elysiumstealer behavioral1/files/0x000a00000001200b-57.dat elysiumstealer behavioral1/memory/2044-58-0x0000000001320000-0x0000000001496000-memory.dmp elysiumstealer behavioral1/memory/2044-59-0x0000000000150000-0x000000000016A000-memory.dmp elysiumstealer behavioral1/files/0x000a00000001200b-64.dat elysiumstealer behavioral1/files/0x000a00000001200b-63.dat elysiumstealer behavioral1/files/0x000a00000001200b-65.dat elysiumstealer behavioral1/files/0x000a00000001200b-66.dat elysiumstealer behavioral1/files/0x000a00000001200b-67.dat elysiumstealer -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2044 SketchfabRipper.exe -
resource yara_rule behavioral1/memory/2044-59-0x0000000000150000-0x000000000016A000-memory.dmp upx -
Loads dropped DLL 7 IoCs
pid Process 1444 iexplore.exe 2044 SketchfabRipper.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1480 2044 WerFault.exe 30 -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40a6829cfcd7d801 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D4A325E1-43EF-11ED-B4FB-76D99E3F6056} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371658261" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1444 iexplore.exe 1444 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1444 iexplore.exe 1444 iexplore.exe 2012 IEXPLORE.EXE 2012 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1444 wrote to memory of 2012 1444 iexplore.exe 28 PID 1444 wrote to memory of 2012 1444 iexplore.exe 28 PID 1444 wrote to memory of 2012 1444 iexplore.exe 28 PID 1444 wrote to memory of 2012 1444 iexplore.exe 28 PID 1444 wrote to memory of 2044 1444 iexplore.exe 30 PID 1444 wrote to memory of 2044 1444 iexplore.exe 30 PID 1444 wrote to memory of 2044 1444 iexplore.exe 30 PID 2044 wrote to memory of 1480 2044 SketchfabRipper.exe 31 PID 2044 wrote to memory of 1480 2044 SketchfabRipper.exe 31 PID 2044 wrote to memory of 1480 2044 SketchfabRipper.exe 31
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/babyroro1/Sketchfab-Ripper-/releases/download/sketchfab/SketchfabRipper.exe1⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2044 -s 6563⤵
- Loads dropped DLL
- Program crash
PID:1480
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d4c505779c3cd53045709716b7717ce9
SHA1c3ab2741f50a833f5f48262f34b901f48bd716f4
SHA256d0d83f1cc3145fc821ec8fed67c2d2493273c0ff4bbf4863697a14b08cd22bf1
SHA5128a8c4870242d2f05bb6fd1e9a1d591f55b37287487b539aaa4357935567094c88a55569de19011658757dc7239dbe9f1e6510062939c73041feb98b662a78109
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe.0suhyvc.partial
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
Filesize
608B
MD504dbb07094dd5e595d67d657f2ee6094
SHA1fb913f395299fcae868420925c40114feee9c45a
SHA256b64848e64ead3eb6941cb0d5d3edeb7237315847b933e93ea8fd807d4fc1af89
SHA512eb606ac43b4b3d70cd89560ae3d73bd6ceac73d7204b13e473ccb4be2523b0dbd2c4597c357d8cd680dfb391d3aab9e108f245c797b5a3bba61a94c0416caa4c
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\SketchfabRipper.exe
Filesize1.4MB
MD50acae348710ea8e48cbfa74859885cda
SHA189fa5d1e1e28b0ce325472a85afc705041d4a05c
SHA256660503b141b629af0b0c3bc79a988a823f14905407feb16734d51da29f0de561
SHA512bf11e23e216cd5df54cc1e9b0ca6f4ee6f61624fff18f67550dc998356915a81ff7859126a75842d2fee68f7c1f6e97b62d16d7435a14c9c422312ac26024267
-
Filesize
39KB
MD5d80d1b6d9a6d5986fa47f6f8487030e1
SHA18f5773bf9eca43b079c1766b2e9f44cc90bd9215
SHA256446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
SHA5129fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc