Analysis Overview
SHA256
aa84a2b5ded695ac4c3ab79db699f923326f090559d255894beb2622ea7747a2
Threat Level: Known bad
The file HwidSpoofer.exe was found to be: Known bad.
Malicious Activity Summary
ElysiumStealer
ElysiumStealer Support DLL
Loads dropped DLL
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2022-12-20 00:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 00:54
Reported
2022-12-20 00:56
Platform
win7-20220901-en
Max time kernel
43s
Max time network
47s
Command Line
Signatures
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1672 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 640
Network
Files
memory/1672-54-0x0000000000990000-0x0000000001064000-memory.dmp
memory/1672-55-0x00000000001E0000-0x00000000001EC000-memory.dmp
\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/1672-57-0x0000000075111000-0x0000000075113000-memory.dmp
memory/1520-58-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-20 00:54
Reported
2022-12-20 00:56
Platform
win10v2004-20221111-en
Max time kernel
50s
Max time network
127s
Command Line
Signatures
ElysiumStealer
ElysiumStealer Support DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2144 -ip 2144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1076
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2144-132-0x0000000000140000-0x0000000000814000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll
| MD5 | 94173de2e35aa8d621fc1c4f54b2a082 |
| SHA1 | fbb2266ee47f88462560f0370edb329554cd5869 |
| SHA256 | 7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f |
| SHA512 | cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798 |
memory/2144-134-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/2144-135-0x00000000052E0000-0x0000000005372000-memory.dmp
memory/2144-136-0x0000000005280000-0x000000000528A000-memory.dmp