Analysis Overview

score

10^/10

SHA256

f53614a1f94813c9923414de84098b3295e63eaeea93f9e25dbcb75c69385e64

Threat Level: Known bad

The file 6f863697c00b6c7db3bfb9af631618fa was found to be: Known bad.

Malicious Activity Summary

elysiumstealer stealer

ElysiumStealer

ElysiumStealer Support DLL

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-19 17:54

Signatures

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 17:54

Reported

2023-12-19 19:19

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe"

Signatures

ElysiumStealer

stealer elysiumstealer

ElysiumStealer Support DLL

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	N/A

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2040 wrote to memory of 2176	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2176	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2176	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2176	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe

"C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 676

Network

N/A

Files

memory/2040-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2040-0-0x00000000008E0000-0x0000000000958000-memory.dmp

memory/2040-2-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/2040-3-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/2040-4-0x00000000757F0000-0x0000000075900000-memory.dmp

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

MD5	94173de2e35aa8d621fc1c4f54b2a082
SHA1	fbb2266ee47f88462560f0370edb329554cd5869
SHA256	7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512	cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

memory/2040-8-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2040-9-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/2040-10-0x00000000757F0000-0x0000000075900000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 17:54

Reported

2023-12-19 19:20

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe"

Signatures

ElysiumStealer

stealer elysiumstealer

ElysiumStealer Support DLL

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe	N/A

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe

"C:\Users\Admin\AppData\Local\Temp\6f863697c00b6c7db3bfb9af631618fa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1080

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	203.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	3.181.190.20.in-addr.arpa	udp
US	8.8.8.8:53	241.154.82.20.in-addr.arpa	udp
US	8.8.8.8:53	167.109.18.2.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	18.134.221.88.in-addr.arpa	udp
US	8.8.8.8:53	57.110.18.2.in-addr.arpa	udp
US	8.8.8.8:53	179.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	4.173.189.20.in-addr.arpa	udp

Files

memory/4348-0-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4348-1-0x00000000001D0000-0x0000000000248000-memory.dmp

memory/4348-2-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/4348-3-0x0000000002640000-0x000000000264C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

MD5	94173de2e35aa8d621fc1c4f54b2a082
SHA1	fbb2266ee47f88462560f0370edb329554cd5869
SHA256	7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512	cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

memory/4348-8-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/4348-9-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/4348-10-0x0000000074CC0000-0x0000000075470000-memory.dmp

Sample ID	231219-wgzz6shaaq
Target	6f863697c00b6c7db3bfb9af631618fa
SHA256	f53614a1f94813c9923414de84098b3295e63eaeea93f9e25dbcb75c69385e64
Tags	elysiumstealer stealer

Malware Analysis Report

2024-08-06 08:51

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files