Analysis
-
max time kernel
114s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe
-
Size
401KB
-
MD5
7e79a9ac1dbbda7d2cd4c90a78395fe7
-
SHA1
919c526b943618dcd57d798592cc24fdd8d04ba5
-
SHA256
4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb
-
SHA512
9dfc7b3fb483a0f59cfc6d97921ba409dc4ce00855d4903f039c35e3336ba4d3368b54d6e4b082a3e6bf1ac431efe0135306a83096de34b1443c8d60799a20a3
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4056 created 2232 4056 WerFault.exe 4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe -
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2232-114-0x0000000001AE0000-0x0000000001B18000-memory.dmp family_taurus_stealer behavioral2/memory/2232-115-0x0000000000400000-0x000000000179F000-memory.dmp family_taurus_stealer -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4056 2232 WerFault.exe 4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe 4056 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4056 WerFault.exe Token: SeBackupPrivilege 4056 WerFault.exe Token: SeDebugPrivilege 4056 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe"C:\Users\Admin\AppData\Local\Temp\4f2c35eb6899ef553b92798363fd8f6c25c8b4eef4218e204910614638aa2ffb.exe"1⤵PID:2232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 6602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056