Analysis
-
max time kernel
45s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 18:44
Behavioral task
behavioral1
Sample
HWID PERM.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
HWID PERM.exe
-
Size
5.4MB
-
MD5
8b3b6761a5ada29b0d2e3eba8d739a6a
-
SHA1
be76c501a74fabc3a3b6f4e3c3dcd0f8bba46c0a
-
SHA256
7e28def00bbb57d5a43aee2e2884ba1bec9928f0322a38e12939dbb06f177c91
-
SHA512
9d8bf77b8171b9fcc8de3f2f848f557cfebd15579474175ab903227e587da5ec2437f0f6175961f41436b8a85451a49131fccfff2ebc2f924cc9385d8e15b6b0
-
SSDEEP
98304:v1+UCD8+5HTzqd7qzAqe8luxiIbqIZiwGBdSwOfFS4q:Pl+5HTW9qDFluI3IZi5DqFf
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000b000000023b59-15.dat elysiumstealer_dll -
Elysiumstealer family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HWID PERM.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions HWID PERM.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools HWID PERM.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HWID PERM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HWID PERM.exe -
Loads dropped DLL 1 IoCs
pid Process 2684 HWID PERM.exe -
resource yara_rule behavioral1/memory/2684-11-0x0000000000400000-0x0000000000EF2000-memory.dmp themida behavioral1/memory/2684-12-0x0000000000400000-0x0000000000EF2000-memory.dmp themida -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HWID PERM.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum HWID PERM.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 HWID PERM.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2684 HWID PERM.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HWID PERM.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HWID PERM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion HWID PERM.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HWID PERM.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2984 taskmgr.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe 2684 HWID PERM.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2684 HWID PERM.exe Token: SeDebugPrivilege 2984 taskmgr.exe Token: SeSystemProfilePrivilege 2984 taskmgr.exe Token: SeCreateGlobalPrivilege 2984 taskmgr.exe Token: 33 2984 taskmgr.exe Token: SeIncBasePriorityPrivilege 2984 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe 2984 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HWID PERM.exe"C:\Users\Admin\AppData\Local\Temp\HWID PERM.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD594173de2e35aa8d621fc1c4f54b2a082
SHA1fbb2266ee47f88462560f0370edb329554cd5869
SHA2567e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f
SHA512cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798