Analysis Overview
SHA256
33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744
Threat Level: Known bad
The file 33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.sample was found to be: Known bad.
Malicious Activity Summary
ElysiumStealer payload
Elysiumstealer family
ElysiumStealer
Modifies extensions of user files
Loads dropped DLL
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-10-07 11:38
Signatures
ElysiumStealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Elysiumstealer family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-07 11:38
Reported
2022-10-07 11:40
Platform
win7-20220812-en
Max time kernel
46s
Max time network
49s
Command Line
Signatures
ElysiumStealer
ElysiumStealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ResolveUnblock.crw.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\DisconnectSkip.crw.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | C:\Windows\system32\WerFault.exe |
| PID 1680 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | C:\Windows\system32\WerFault.exe |
| PID 1680 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe
"C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1680 -s 704
Network
Files
memory/1680-54-0x0000000000010000-0x0000000000092000-memory.dmp
memory/1680-55-0x0000000000450000-0x000000000045C000-memory.dmp
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | d80d1b6d9a6d5986fa47f6f8487030e1 |
| SHA1 | 8f5773bf9eca43b079c1766b2e9f44cc90bd9215 |
| SHA256 | 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3 |
| SHA512 | 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc |
memory/1100-57-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-07 11:38
Reported
2022-10-07 11:40
Platform
win10v2004-20220812-en
Max time kernel
61s
Max time network
139s
Command Line
Signatures
ElysiumStealer
ElysiumStealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\EnterConnect.png.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RepairClose.png.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\LockWatch.raw.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MergeConnect.crw.MafiaWare666 | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe
"C:\Users\Admin\AppData\Local\Temp\33e58ab07de493ea0bc34ef7ec2c7430d6af0f222e378b6c628fdef6c920c744.bin.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4908 -ip 4908
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4908 -s 1148
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp |
Files
memory/4908-132-0x0000000000C40000-0x0000000000CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | d80d1b6d9a6d5986fa47f6f8487030e1 |
| SHA1 | 8f5773bf9eca43b079c1766b2e9f44cc90bd9215 |
| SHA256 | 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3 |
| SHA512 | 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc |
memory/4908-134-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp
memory/4908-135-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp
memory/4908-136-0x00007FFBFE880000-0x00007FFBFF341000-memory.dmp