100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

Analysis

max time kernel
135s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
Size

376KB
MD5

3eafc3e74deeffaccc2a203154265a30
SHA1

0de031ececa86e4e318f266f291474fc73d491ac
SHA256

100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea
SHA512

2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Score

9^/10

discovery spyware stealer

Malware Config

Signatures

ServiceHost packer 22 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1124-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-54-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-59-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-61-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-64-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-63-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1124-55-0x0000000000000000-mapping.dmp	servicehost

Blacklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

19 4072 rundll32.exe
23 2216 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

tdun.exeTaurus22.exe

pid process

2912 tdun.exe
1124 Taurus22.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4072 rundll32.exe
4072 rundll32.exe
2216 rundll32.exe
2216 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2820 1124 WerFault.exe Taurus22.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

648 schtasks.exe

flow	pid	process
19	4072	rundll32.exe
23	2216	rundll32.exe

pid	process
2912	tdun.exe
1124	Taurus22.exe

pid	pid_target	process	target process
2820	1124	WerFault.exe	Taurus22.exe

pid	process
648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
4072	rundll32.exe
4072	rundll32.exe
4072	rundll32.exe
4072	rundll32.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2820 WerFault.exe
Token: SeBackupPrivilege 2820 WerFault.exe
Token: SeDebugPrivilege 2820 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2820	WerFault.exe
Token: SeBackupPrivilege	2820	WerFault.exe
Token: SeDebugPrivilege	2820	WerFault.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exetdun.execmd.exeTaurus22.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 2912	744	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 744 wrote to memory of 2912	744	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 744 wrote to memory of 2912	744	SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe	tdun.exe
PID 2912 wrote to memory of 4032	2912	tdun.exe	cmd.exe
PID 2912 wrote to memory of 4032	2912	tdun.exe	cmd.exe
PID 2912 wrote to memory of 4032	2912	tdun.exe	cmd.exe
PID 4032 wrote to memory of 776	4032	cmd.exe	reg.exe
PID 4032 wrote to memory of 776	4032	cmd.exe	reg.exe
PID 4032 wrote to memory of 776	4032	cmd.exe	reg.exe
PID 2912 wrote to memory of 4072	2912	tdun.exe	rundll32.exe
PID 2912 wrote to memory of 4072	2912	tdun.exe	rundll32.exe
PID 2912 wrote to memory of 4072	2912	tdun.exe	rundll32.exe
PID 2912 wrote to memory of 1124	2912	tdun.exe	Taurus22.exe
PID 2912 wrote to memory of 1124	2912	tdun.exe	Taurus22.exe
PID 2912 wrote to memory of 1124	2912	tdun.exe	Taurus22.exe
PID 1124 wrote to memory of 1456	1124	Taurus22.exe	cmd.exe
PID 1124 wrote to memory of 1456	1124	Taurus22.exe	cmd.exe
PID 1124 wrote to memory of 1456	1124	Taurus22.exe	cmd.exe
PID 1456 wrote to memory of 648	1456	cmd.exe	schtasks.exe
PID 1456 wrote to memory of 648	1456	cmd.exe	schtasks.exe
PID 1456 wrote to memory of 648	1456	cmd.exe	schtasks.exe
PID 2912 wrote to memory of 2216	2912	tdun.exe	rundll32.exe
PID 2912 wrote to memory of 2216	2912	tdun.exe	rundll32.exe
PID 2912 wrote to memory of 2216	2912	tdun.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.35366371.21837.17504.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\ProgramData\df06955a2a\tdun.exe
"C:\ProgramData\df06955a2a\tdun.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
3⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\df06955a2a\
4⤵
PID:776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\cred.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
"C:\Users\Admin\AppData\Local\Temp\Taurus22.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\aBCgjGFk.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\aBCgjGFk.exe"
5⤵
- Creates scheduled task(s)
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1172
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\36877702447006\scr.dll, Main
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152133414903337197415362
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
C:\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
C:\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
C:\ProgramData\df06955a2a\tdun.exe
MD5
3eafc3e74deeffaccc2a203154265a30

SHA1
0de031ececa86e4e318f266f291474fc73d491ac

SHA256
100f3322fa66d60cb9a64e2cbcceb0a9558e65e600526fcbc25852d62940c7ea

SHA512
2ed5d67d71af751a35398a649699e48c6dcde52d54e4e4977be9601edf1b595242a0787e7d9b07aca41416355ca33f9df13a4c087a8f63ae60c17b123363ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taurus22.exe
MD5
a4371e9bd79194ecb4cbeea6db5c84fc

SHA1
8d52f150505ccecc1660ca4de6f0b5d73e58a1f0

SHA256
412a216b1c3d5b49588f3afa1a29af5242a1b865eac7aa98565b4e7c5d4ca7e8

SHA512
c814c8de4ee96ba82571a245d7fc53f1537a45051cad35e8e86d2e17158e77b33d0817a2d84352d5aae2209047b5e846d38d58bae894278686d3ced62a38415a

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\cred.dll
MD5
7da17ba4b45756b3a4030fadf2b10581

SHA1
695ad3805d4f947d241c05831aa22b915dcecd08

SHA256
ac4f71ef784c5c125ccad0dca8b2c1e0a5ece14006f7955ffe183d0e1db3c8f9

SHA512
c69ce625861e64df4838fbb81bbede34e5604784e0aca5adbc3aa09b2a21390cac59908221a767923736334757aaab6d54217c4cf058c48b342de763b75815c0

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
\ProgramData\36877702447006\scr.dll
MD5
640ab71aef505d0fa1872c085d34bd67

SHA1
9dcaf377132f39f5c98f3883adcdc552347226ad

SHA256
846df3b6706b3ce2985c5d8f102c8ee74cd4734f294ae5f5c48b3f6f9def5070

SHA512
9c5a141503c52c5aeed6c60a077cf42eb34f2a7df55522da2759a3305661e2664db38f7e27ce57d60a0a30e798e76018467cd75618afcc2765c95448e42886c7

Download Submit
memory/648-14-0x0000000000000000-mapping.dmp

Download
memory/776-5-0x0000000000000000-mapping.dmp

Download
memory/1124-17-0x0000000000000000-mapping.dmp

Download
memory/1124-26-0x0000000000000000-mapping.dmp

Download
memory/1124-55-0x0000000000000000-mapping.dmp

Download
memory/1124-63-0x0000000000000000-mapping.dmp

Download
memory/1124-16-0x0000000000000000-mapping.dmp

Download
memory/1124-18-0x0000000000000000-mapping.dmp

Download
memory/1124-19-0x0000000000000000-mapping.dmp

Download
memory/1124-20-0x0000000000000000-mapping.dmp

Download
memory/1124-21-0x0000000000000000-mapping.dmp

Download
memory/1124-23-0x0000000000000000-mapping.dmp

Download
memory/1124-24-0x0000000000000000-mapping.dmp

Download
memory/1124-25-0x0000000000000000-mapping.dmp

Download
memory/1124-22-0x0000000000000000-mapping.dmp

Download
memory/1124-54-0x0000000000000000-mapping.dmp

Download
memory/1124-64-0x0000000000000000-mapping.dmp

Download
memory/1124-62-0x0000000000000000-mapping.dmp

Download
memory/1124-56-0x0000000000000000-mapping.dmp

Download
memory/1124-10-0x0000000000000000-mapping.dmp

Download
memory/1124-61-0x0000000000000000-mapping.dmp

Download
memory/1124-60-0x0000000000000000-mapping.dmp

Download
memory/1124-59-0x0000000000000000-mapping.dmp

Download
memory/1124-58-0x0000000000000000-mapping.dmp

Download
memory/1124-57-0x0000000000000000-mapping.dmp

Download
memory/1456-13-0x0000000000000000-mapping.dmp

Download
memory/2216-30-0x0000000000000000-mapping.dmp

Download
memory/2820-38-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-39-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-43-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-44-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-45-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-47-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-48-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-49-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-51-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-52-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-40-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-41-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-36-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-35-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-65-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2820-32-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-15-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2820-28-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2820-27-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2912-0-0x0000000000000000-mapping.dmp

Download
memory/4032-4-0x0000000000000000-mapping.dmp

Download
memory/4072-6-0x0000000000000000-mapping.dmp

Download