Overview

overview

10

Static

static

SecuriteIn...50.exe

windows7_x64

10

SecuriteIn...50.exe

windows10_x64

7

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-03-2021 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Carberp.2692.29914.12750.exe

  • Size

    2.0MB

  • MD5

    602c4fc857abdc65397927df41fc638d

  • SHA1

    57dd28ad57e53751dbf68959a5a8fc4012d905a4

  • SHA256

    7fc9d4a00d0a1482b4b320feb5bed172f354c48705caae9d52db720ce7d98d84

  • SHA512

    c7da5aff57e4c125a4b42bf6a7e319509b9786fd673f4e3320ed0e2124cdf649ac4708ed2430bc7f550e2ba260383cf2a1099d0b4f9ac7ec6af3516c815d84ad

Score
10/10
taurus_stealerdiscoveryspywarestealertrojan

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus_stealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Carberp.2692.29914.12750.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Carberp.2692.29914.12750.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c timeout 4
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1660
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Carberp.2692.29914.12750.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Carberp.2692.29914.12750.exe"
      2⤵
        PID:1844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 892
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/572-19-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/572-13-0x0000000001FC0000-0x0000000001FD1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1564-16-0x000007FEF7180000-0x000007FEF73FA000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1844-11-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1844-9-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1844-18-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

      Download

    • memory/1968-2-0x0000000074200000-0x00000000748EE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1968-6-0x0000000000230000-0x0000000000277000-memory.dmp

      Filesize

      284KB

      Download

    • memory/1968-17-0x0000000006220000-0x0000000006221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1968-3-0x0000000001050000-0x0000000001051000-memory.dmp

      Filesize

      4KB

      Download