Analysis
-
max time kernel
1s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
08-01-2024 19:01
General
-
Target
4c37879689505f683c1e07b86b8aa7f2.exe
-
Size
559KB
-
MD5
4c37879689505f683c1e07b86b8aa7f2
-
SHA1
58484777d59af5378002ee6cd686525f26449098
-
SHA256
7bcbc81dbfbc85b4c7c40f44931788a814ded426317e6ea9456cc65c37341c92
-
SHA512
0b6615a38a67e922527edc694838afa2e96db58ab4f09c03fdf3e71a49bbab6e74addd54efbdd56a25c2bc8fc74e60d8a58409e2c471421438d3193df88acc74
-
SSDEEP
6144:5fqHpILYw0mlefjZJnu3GHYKDcOuhHovXIslLMJsd/4TelpDtrRA6Ts5v3FNR3:xq2L7UjX0G/xvwsrSeLlTst3t3
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Support DLL 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies registry key 1 TTPs 17 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c37879689505f683c1e07b86b8aa7f2.exe"C:\Users\Admin\AppData\Local\Temp\4c37879689505f683c1e07b86b8aa7f2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic useraccount where caption='Nemesis-21022' rename Nemesis-210222⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where caption='Nemesis-21022' rename Nemesis-210223⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d I LOVE PIZZA-9745 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOwner /t REG_SZ /d I LOVE PIZZA-9748 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Epic Games"3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d PizzaXYZ-9742 /f1⤵
- Modifies registry key
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d 9748-30387-32368-11106 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 9748-30387-32368-11106 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 9748-30387-32368-11106 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\BIOS /v SystemSKU /t REG_SZ /d I LOVE PIZZA-9748-30387 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\1 /v ProcessorNameString /t REG_SZ /d 9752-8367 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\2 /v ProcessorNameString /t REG_SZ /d 9752-8367 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\3 /v ProcessorNameString /t REG_SZ /d 9752-8367 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine"1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers"1⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Epic Games" / f1⤵
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /v AccountId /t REG_SZ /d 9758-29864-20424-17760 /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000" /v MatchingDeviceId /t REG_SZ /d {9758-29864-20424-17760} /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000" /v NetCfgInstanceId /t REG_SZ /d {9758-29864-20424-17760} /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /v Machineid /t REG_SZ /d 9758-29864-20424-17760 /f1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v ProcessorNameString /t REG_SZ /d 9752-8367 /f1⤵
- Modifies registry key
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {9748-30387-32368-11106} /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 9748 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v RegisteredOrganization /t REG_SZ /d I LOVE PIZZA-9748 /f1⤵
- Modifies registry key
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy1⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildGUID /t REG_SZ /d I LOVE PIZZA-9748 /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v GUID /t REG_SZ /d {I LOVE PIZZA-9745-19638-14503-19811} /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {I LOVE PIZZA-9745-19638-14503-19811} /f1⤵
- Modifies registry key
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5dff5049d89c2ebece4faf7ff00457676
SHA19fdaf09383b7cf3210a5ba1273e15fcfde483113
SHA2567e3c973ce2e086e824e2658d0ecc8e726c7f18cb313a8add6d749153447d9aad
SHA512d7346fad4391ab101aded02846575e600aea867626bcb9ac5aae405a02ae3e3cc257f80e997763ad2b0c272940a1b977cc7a778a1270e9c667948b30cf2f749a
-
Filesize
36KB
MD5ab0262f72142aab53d5402e6d0cb5d24
SHA1eaf95bb31ae1d4c0010f50e789bdc8b8e3116116
SHA25620a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb
SHA512bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1
-
Filesize
36KB
MD58aaad0f4eb7d3c65f81c6e6b496ba889
SHA1231237a501b9433c292991e4ec200b25c1589050
SHA256813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA5121a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62
-
Filesize
444B
MD55475132f1c603298967f332dc9ffb864
SHA14749174f29f34c7d75979c25f31d79774a49ea46
SHA2560b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA51254433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff
-
Filesize
46KB
MD56edbd101a14d7394a1435a6ef6002314
SHA1c36caa495ddada12a930eba81fa012856347717b
SHA256361de409f0eefc694ca46c56987e513e0daec8a8bb34b57b558d4c3164b3e25c
SHA51244169301bf519e112d62d3f1b460832c8d712f4e722269d8944faca845e52e503c3919f2f3c49f9de903664abe593ef51471aba7897d757a4a2b228c2fffa8f8
-
Filesize
454B
MD5411d53fc8e09fb59163f038ee9257141
SHA1cb67574c7872f684e586b438d55cab7144b5303d
SHA2561844105bb927dbc405685d3bf5546be47fa2fc5846b763c9f2ba2b613ec6bc48
SHA51267b342c434d8f3a8b9e9ac8a4cbd4c3ef83ddfc450fe7e6ad6f375dba9c8a4977a15a08b49f5ad7644fbde092396e6da08865aa54d399836e5444cb177a33444
-
Filesize
162B
MD5ac68ac6bffd26dbea6b7dbd00a19a3dd
SHA1a3d70e56249db0b4cc92ba0d1fc46feb540bc83f
SHA256d6bdeaa9bc0674ae9e8c43f2e9f68a2c7bb8575b3509685b481940fda834e031
SHA5126c3fcce2f73e9a5fc6094f16707109d03171d4a7252cf3cb63618243dbb25adb40045de9be27cad7932fd98205bdaf0f557d282b2ba92118bba26efcf1cd2a02
-
Filesize
58KB
MD54abeae9f173b42bd1420ee17ceab3603
SHA18fa8815bf4418b2f0249153b7cb0bfe32645235a
SHA256e604c393d3ec9c3296e5a2a6ea4177c8786cb0bbcce18211b20bf4ed6f1e7105
SHA51280bc2fabfbcd33227722f285ddf224b7175e16ac0f84ff6f8bfe010e3550eafb683c796119bd8632de9252f155329c6d60fa37a561a896ae7cf48f491f3ab718
-
Filesize
22KB
MD5dc25bdaa19c5ea0d369765cfbe960ef1
SHA114eac5b55dfa098bc3c25bbea534b1d6ef87ea38
SHA2563961b7563fc812bb054d66514545192c2c6524003cc62bfa575be1795979f38c
SHA512c3ab0f07559fef28280621e8c3101d6b02ea668d4c917577e1f33a365b2ed9675ca3a1360dd9a5f3b044e95403ae0aed2a11f4adaa69ec74c58563ada31fb217
-
Filesize
3KB
MD53427cd30c9ebbf9b66227f958c80fe18
SHA123cd9f5fb15914e70eabfaf3cd2d9511905d96dd
SHA2567dcdbeb601b45f72ab0a076a7a256e285fce72a72de5214fdd3a5dd8cceac36b
SHA512085babba9ac101afb7d786f91897ff6def39c5c862c0a925851dcb0b7aa67383e860679560d2320a7a59fa3234f9514cc464ba6fc06c4f7070e600d073c1cfe2
-
Filesize
150B
MD51659677c45c49a78f33551da43494005
SHA1ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA2565af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030
-
Filesize
27KB
MD57d99010fc46d4977036bb3c933f51ea0
SHA19f31c420e577184897c9be670e02a9057bd7b616
SHA256e28dfedb4177175b65a87bbf9bd1df8aa45f68969758b06384476dbca1155fed
SHA51267189426eaa64c2eaea12513029064e4f0f7fadd658ad8a282b9eb1597e7c616b69290b6ff20142fab9dc94e6c0872840fa73d5c433a73bd3d9e120616aa5a37
-
Filesize
5KB
MD5dedb249606e450f82ccc53f15003194a
SHA1da006a7f152d5edacb7e841ac4da8df645ca3721
SHA256f950b382221cc8f8e8931dfd355c71c7141df5369646b4eed96ab6620824c913
SHA5125f021eb212c0cf4b4107c7ac31f541c4a11d04bb16f618ab4f08fe51cc21fb027f1e756bdb4cbd7966bd2d4524bfa9aa0410f21314c0b957b4090a434b291fc2
-
Filesize
28KB
MD5ca498169dd23b62112cd958502aad5d7
SHA119d4139c32b31c6f8ae1e7f0ba670037f0f39ab5
SHA2565e217d3defffa37c9235763836cc4e6c63b439d1d14402443d468ddecb1d1a17
SHA5120529a96e52738119d0072ba39aee7d9e81092a24592b3c71b826eb1a25ec4aeaa30a1c71f7a895a995524933301d84d88b1ca148c8df2609d24db6d75b15d203
-
Filesize
9KB
MD559c338b777760b7a4eb8bfc09f165ffc
SHA11b87daaed3f0acd2da342b715493a839df30cfbf
SHA2569fa567edfc64fdc0dce80dafaea4a43c89ca7e9179f34cac59496189c894615f
SHA5125c5831833583a54a3c95e206e8f2feac8d52facdfbd6b476d8b81e54ae9aae48c44bc5773cd9d30b06d67ff10b1e913727b8fb9419f22089e10b1f8ff33227eb
-
Filesize
96B
MD5129779775f9c360a01dd27946ded37f7
SHA1f2ba1be31562f3121e457a52e451bc91c50388f7
SHA256f8b4748259b0c1ba1017c57808ab864ac2a20ef78889f2fd2d103da27d9540f1
SHA512ae084738cc69f63fb69397d41c64c5156a9644316251d4681c3bfd2b11164f5b454770710fffe43a267a6181ab9efdd3d937545318f484521e162b343db9f2e7
-
Filesize
25KB
MD5c8a0f96e7fbc2b6d475dcccdd2a3bba6
SHA1c30d2df8f3c3d144c5d2795d987519b6e2c409fb
SHA256f27d1d917d41a929e2814334f6e61e73f182fd749b5ad2dd6e5bd99a3c7b5571
SHA51223e4ff829ef709ec49cfc09b2dd43a4a9315bc70f36a7dd01d4d5eac9d919c684b5d3b0d97bb6e368157774a321b999110d8c17338f9f7104d4d7fbf9dd2be07
-
Filesize
1KB
MD5a00410b892c047dd49bf2a35ab50975a
SHA11330e4032bcdbdb921f2c913f531cdca66f7f5b5
SHA2566bae206386bc97e3d9a69c0b46066760863d5c2330b68e7ec49d570876f248f4
SHA51235fd34310d8b17276459bdb8fc3a9b02bed8098232e6b01461075dc5857d7d3bbbd9d60358b6940287e3cdadbc277612aa7237cb93fdfcd82a95db9d69303b4e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
48KB