100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
25-11-2020 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe
Size

376KB
MD5

3eafc3e74deeffaccc2a203154265a30
SHA1

0de031ececa86e4e318f266f291474fc73d491ac
SHA256

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
SHA512

2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

9 1992 rundll32.exe
14 844 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

tdun.exeTaurus22.exe

pid process

2036 tdun.exe
928 Taurus22.exe

flow	pid	process
9	1992	rundll32.exe
14	844	rundll32.exe

pid	process
2036	tdun.exe
928	Taurus22.exe

Loads dropped DLL 14 IoCs

Processes:

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exerundll32.exetdun.exerundll32.exe

pid	process
844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe
844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
2036	tdun.exe
2036	tdun.exe
2036	tdun.exe
2036	tdun.exe
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1256 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1992 rundll32.exe
1992 rundll32.exe
1992 rundll32.exe
1992 rundll32.exe

pid	process
1256	schtasks.exe

pid	process
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe
1992	rundll32.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exetdun.execmd.exeTaurus22.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 2036	844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe	tdun.exe
PID 844 wrote to memory of 2036	844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe	tdun.exe
PID 844 wrote to memory of 2036	844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe	tdun.exe
PID 844 wrote to memory of 2036	844	100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe	tdun.exe
PID 2036 wrote to memory of 520	2036	tdun.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	tdun.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	tdun.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	tdun.exe	cmd.exe
PID 520 wrote to memory of 864	520	cmd.exe	reg.exe
PID 520 wrote to memory of 864	520	cmd.exe	reg.exe
PID 520 wrote to memory of 864	520	cmd.exe	reg.exe
PID 520 wrote to memory of 864	520	cmd.exe	reg.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 1992	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 928	2036	tdun.exe	Taurus22.exe
PID 2036 wrote to memory of 928	2036	tdun.exe	Taurus22.exe
PID 2036 wrote to memory of 928	2036	tdun.exe	Taurus22.exe
PID 2036 wrote to memory of 928	2036	tdun.exe	Taurus22.exe
PID 928 wrote to memory of 1540	928	Taurus22.exe	cmd.exe
PID 928 wrote to memory of 1540	928	Taurus22.exe	cmd.exe
PID 928 wrote to memory of 1540	928	Taurus22.exe	cmd.exe
PID 928 wrote to memory of 1540	928	Taurus22.exe	cmd.exe
PID 1540 wrote to memory of 1256	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 1256	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 1256	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 1256	1540	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe
PID 2036 wrote to memory of 844	2036	tdun.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe
"C:\Users\Admin\AppData\Local\Temp\100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\ProgramData\df06955a2a\tdun.exe
"C:\ProgramData\df06955a2a\tdun.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
4⤵
PID:864

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\cred.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
"C:\Users\Admin\AppData\Local\Temp\Taurus22.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\BkjAGflc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\BkjAGflc.exe"
5⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\scr.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:844

C:\Windows\system32\taskeng.exe
taskeng.exe {ACA6C5C6-3B7C-4D67-974D-D3EB7DC1A097} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152129327895926991267923
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
C:\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
C:\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
8f96aa45f0dc7b30f4b15739e0679b7a

SHA1
5a405823e2516a40e62e83dd4010a012590a6403

SHA256
68f9243f40945d2c3f15bed2d106401737caa94a26716af3d5918b3c0f760e8b

SHA512
4b9e3755af957009644d563ca054a961c9377202b0e10a4dd55f219fa25049fd264624a1f96ad372e1836f9afa4351b8aaaf477ded414274c31be2d18019541c

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
8f96aa45f0dc7b30f4b15739e0679b7a

SHA1
5a405823e2516a40e62e83dd4010a012590a6403

SHA256
68f9243f40945d2c3f15bed2d106401737caa94a26716af3d5918b3c0f760e8b

SHA512
4b9e3755af957009644d563ca054a961c9377202b0e10a4dd55f219fa25049fd264624a1f96ad372e1836f9afa4351b8aaaf477ded414274c31be2d18019541c

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
8f96aa45f0dc7b30f4b15739e0679b7a

SHA1
5a405823e2516a40e62e83dd4010a012590a6403

SHA256
68f9243f40945d2c3f15bed2d106401737caa94a26716af3d5918b3c0f760e8b

SHA512
4b9e3755af957009644d563ca054a961c9377202b0e10a4dd55f219fa25049fd264624a1f96ad372e1836f9afa4351b8aaaf477ded414274c31be2d18019541c

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
8f96aa45f0dc7b30f4b15739e0679b7a

SHA1
5a405823e2516a40e62e83dd4010a012590a6403

SHA256
68f9243f40945d2c3f15bed2d106401737caa94a26716af3d5918b3c0f760e8b

SHA512
4b9e3755af957009644d563ca054a961c9377202b0e10a4dd55f219fa25049fd264624a1f96ad372e1836f9afa4351b8aaaf477ded414274c31be2d18019541c

Download Submit
\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
8f96aa45f0dc7b30f4b15739e0679b7a

SHA1
5a405823e2516a40e62e83dd4010a012590a6403

SHA256
68f9243f40945d2c3f15bed2d106401737caa94a26716af3d5918b3c0f760e8b

SHA512
4b9e3755af957009644d563ca054a961c9377202b0e10a4dd55f219fa25049fd264624a1f96ad372e1836f9afa4351b8aaaf477ded414274c31be2d18019541c

Download Submit
memory/520-5-0x0000000000000000-mapping.dmp

Download
memory/564-7-0x000007FEF81B0000-0x000007FEF842A000-memory.dmp

Filesize
2.5MB

Download
memory/844-22-0x0000000000000000-mapping.dmp

Download
memory/864-6-0x0000000000000000-mapping.dmp

Download
memory/928-18-0x0000000000000000-mapping.dmp

Download
memory/1256-21-0x0000000000000000-mapping.dmp

Download
memory/1540-20-0x0000000000000000-mapping.dmp

Download
memory/1992-8-0x0000000000000000-mapping.dmp

Download
memory/2036-2-0x0000000000000000-mapping.dmp

Download