Analysis

  • max time kernel
    50s
  • max time network
    58s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    23-07-2020 15:16

General

  • Target

    KY6mW.exe

  • Size

    940KB

  • MD5

    91465c291a92591087e70caa0d4c3370

  • SHA1

    345fba0f611a59ddd30a8c87f793a80fbf82c50e

  • SHA256

    ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42

  • SHA512

    d39d5256b4db45e8a5901a96341e2ca8e5f3dafa2b426227a1fe76f6268f8b2ca59a2c5ce332ea2f70a15287ae9a2703ca52c22dacd8beed54e0786f2b70a762

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KY6mW.exe
    "C:\Users\Admin\AppData\Local\Temp\KY6mW.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c MenJA.bat
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c if NOT UCQFZDUI == DESKTOP-QO5QU33 set /p ="M"
        3⤵
          PID:1452
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode RJar.com V
          3⤵
            PID:1508
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
            smss.com V
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com V
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:380
              • C:\Windows\SysWOW64\TapiUnattend.exe
                "C:\Windows\SysWOW64\TapiUnattend.exe"
                5⤵
                  PID:1520
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 3
              3⤵
              • Runs ping.exe
              PID:1640

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1520-16-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/1520-18-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB