efd49c5c4e703e276cdfcf788e1d11750d2053a5388f768e933a09bb25838217

General

Target

Taurus.exe
Size

276KB
MD5

0f544c1537e9141d831bd96d61980d7e
SHA1

eeebd2c8e285ce745a409cd226ee6df4aae1982e
SHA256

efd49c5c4e703e276cdfcf788e1d11750d2053a5388f768e933a09bb25838217
SHA512

045f796a8b63942cef26b2a3705256dd3a3b9bf1c457f8dfe9c16f12ac3c18105a0499451348e2028d40434f5c91ba933c3ee53dc3f672ba22d58ccd52188894

Score

6^/10

discovery

Malware Config

Signatures

Makes http(s) request 7 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	4	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6901594400568a53
HTTP URL	6	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
HTTP URL	2	https://bit-browser.gq/gate/cfg/?post=1&data=s4t5y8q7v2t5y8q7v2
HTTP URL	2	https://bit-browser.gq/gate/log?post=2&data=dDiiGfjfJBJFGkIc1u0ujpRN6WYa7nfIT70j8eCRgC7njcP3f5J2ouNOB45A6TkCezvzRbl/YX/B9bIpXhojE55KSq1f2Y+V3m/lNv2tWlOYvECqg+BhJVmcdsIrsHULaNeZCoFhEPi5ycnic7hOOpnsngrW6q8fXlsdbKAUG2qHculyZkYrjb2bdTdiH2Osy1yofCe7+zwtGzFVMRnA1D/hglehEw==
HTTP URL	8	http://www.msftconnecttest.com/connecttest.txt
HTTP URL	6	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAgKdaEVcGvOipk%2B7zQeVOM%3D
HTTP URL	2	https://bit-browser.gq/gate/log/?post=2&data=dDiiGfjfJBJFGkIc1u0ujpRN6WYa7nfIT70j8eCRgC7njcP3f5J2ouNOB45A6TkCezvzRbl/YX/B9bIpXhojE55KSq1f2Y+V3m/lNv2tWlOYvECqg+BhJVmcdsIrsHULaNeZCoFhEPi5ycnic7hOOpnsngrW6q8fXlsdbKAUG2qHculyZkYrjb2bdTdiH2Osy1yofCe7+zwtGzFVMRnA1D/hglehEw==

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Taurus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Taurus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Taurus.exe

Checks for installed software on the system 1 TTPs 27 IoCs

discovery

Query Registry

T1012

Processes:

Taurus.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	Taurus.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	Taurus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	Taurus.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3460 3736 WerFault.exe Taurus.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3460 WerFault.exe
Token: SeBackupPrivilege 3460 WerFault.exe
Token: SeDebugPrivilege 3460 WerFault.exe

pid	pid_target	process	target process
3460	3736	WerFault.exe	Taurus.exe

description	pid	process
Token: SeRestorePrivilege	3460	WerFault.exe
Token: SeBackupPrivilege	3460	WerFault.exe
Token: SeDebugPrivilege	3460	WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe
3460	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Taurus.exe
"C:\Users\Admin\AppData\Local\Temp\Taurus.exe"
1⤵
- Enumerates system info in registry
- Checks for installed software on the system
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1800
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-0-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/3460-1-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads