Analysis
-
max time kernel
50s -
max time network
58s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
23-07-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
KY6mW.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
KY6mW.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
KY6mW.exe
-
Size
940KB
-
MD5
91465c291a92591087e70caa0d4c3370
-
SHA1
345fba0f611a59ddd30a8c87f793a80fbf82c50e
-
SHA256
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
-
SHA512
d39d5256b4db45e8a5901a96341e2ca8e5f3dafa2b426227a1fe76f6268f8b2ca59a2c5ce332ea2f70a15287ae9a2703ca52c22dacd8beed54e0786f2b70a762
Score
10/10
Malware Config
Signatures
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Executes dropped EXE 2 IoCs
pid Process 824 smss.com 380 smss.com -
Loads dropped DLL 2 IoCs
pid Process 1288 cmd.exe 824 smss.com -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce KY6mW.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" KY6mW.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 380 set thread context of 1520 380 smss.com 31 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1640 PING.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 380 smss.com -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 824 smss.com 824 smss.com 824 smss.com 380 smss.com 380 smss.com 380 smss.com -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 824 smss.com 824 smss.com 824 smss.com 380 smss.com 380 smss.com 380 smss.com -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1244 wrote to memory of 1288 1244 KY6mW.exe 24 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1452 1288 cmd.exe 26 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 1508 1288 cmd.exe 27 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 1288 wrote to memory of 824 1288 cmd.exe 28 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 824 wrote to memory of 380 824 smss.com 29 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 1288 wrote to memory of 1640 1288 cmd.exe 30 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31 PID 380 wrote to memory of 1520 380 smss.com 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\KY6mW.exe"C:\Users\Admin\AppData\Local\Temp\KY6mW.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\cmd.execmd /c MenJA.bat2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\cmd.execmd /c if NOT UCQFZDUI == DESKTOP-QO5QU33 set /p ="M"3⤵PID:1452
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode RJar.com V3⤵PID:1508
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comsmss.com V3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\smss.com V4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\SysWOW64\TapiUnattend.exe"5⤵PID:1520
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:1640
-
-