Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 01:02
Static task
static1
Behavioral task
behavioral1
Sample
7a9c574a3ef86ab174cc3a48f6b000d1.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
7a9c574a3ef86ab174cc3a48f6b000d1.exe
-
Size
1.3MB
-
MD5
7a9c574a3ef86ab174cc3a48f6b000d1
-
SHA1
4d7ceacb8b4685dc6826ab01a05449340befced7
-
SHA256
24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60
-
SHA512
4df2deaa71064671c14f316e3a4afa4517ccacde62728628eed66691ff6e12c85aefd9257cce9bc35778371f93edec05e9d45ecdd4e5e8e1c4325f013d863f86
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/596-66-0x000000000041EC63-mapping.dmp family_taurus_stealer behavioral1/memory/596-65-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/596-68-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7a9c574a3ef86ab174cc3a48f6b000d1.exedescription pid process target process PID 1640 set thread context of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
7a9c574a3ef86ab174cc3a48f6b000d1.exedescription pid process target process PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe PID 1640 wrote to memory of 596 1640 7a9c574a3ef86ab174cc3a48f6b000d1.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe"C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:596