Analysis
-
max time kernel
23s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-04-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
AFE.tmp.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
AFE.tmp.exe
-
Size
378KB
-
MD5
98d0976214fb5720a6b2c23ba035b741
-
SHA1
1eb4da1f7de4ca6718d75c6ac713b6324948ad6c
-
SHA256
553e5fd6df66c3d38733e1942ffbf2557843fc19c48fa1a2379eee9eb528c144
-
SHA512
4a1bf187b5483d70925cb1ae91090f2abde87ecd115d298f01e0c9c0b9bf428c53b3db6c6173aaf4b96cc345b093cd95cf2641894dc7b1edfdc2689ef6582925
Score
10/10
Malware Config
Signatures
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1488 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1648 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
AFE.tmp.execmd.exedescription pid process target process PID 2008 wrote to memory of 1488 2008 AFE.tmp.exe cmd.exe PID 2008 wrote to memory of 1488 2008 AFE.tmp.exe cmd.exe PID 2008 wrote to memory of 1488 2008 AFE.tmp.exe cmd.exe PID 2008 wrote to memory of 1488 2008 AFE.tmp.exe cmd.exe PID 1488 wrote to memory of 1648 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 1648 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 1648 1488 cmd.exe timeout.exe PID 1488 wrote to memory of 1648 1488 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\AFE.tmp.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:1648
-
-