Analysis Overview
SHA256
24b335b5bb52f65a242f90c1f10fe171a1a4b38214a192c387529aa69280ab60
Threat Level: Known bad
The file 7a9c574a3ef86ab174cc3a48f6b000d1.exe was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 01:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 01:02
Reported
2021-05-15 01:04
Platform
win7v20210410
Max time kernel
122s
Max time network
121s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 596 | N/A | C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe
"C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| N/A | 51.195.70.170:80 | 51.195.70.170 | tcp |
Files
memory/1640-59-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/1640-61-0x0000000004120000-0x0000000004121000-memory.dmp
memory/1640-62-0x0000000001E80000-0x0000000001E8E000-memory.dmp
memory/1640-63-0x0000000007F60000-0x0000000007FF0000-memory.dmp
memory/1640-64-0x0000000004530000-0x0000000004578000-memory.dmp
memory/596-66-0x000000000041EC63-mapping.dmp
memory/596-65-0x0000000000400000-0x000000000043A000-memory.dmp
memory/596-67-0x0000000075631000-0x0000000075633000-memory.dmp
memory/596-68-0x0000000000400000-0x000000000043A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 01:02
Reported
2021-05-15 01:05
Platform
win10v20210410
Max time kernel
40s
Max time network
147s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1832 set thread context of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe
"C:\Users\Admin\AppData\Local\Temp\7a9c574a3ef86ab174cc3a48f6b000d1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1076
Network
| Country | Destination | Domain | Proto |
| N/A | 51.195.70.170:80 | 51.195.70.170 | tcp |
Files
memory/1832-114-0x0000000000B20000-0x0000000000B21000-memory.dmp
memory/1832-116-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
memory/1832-117-0x00000000054D0000-0x00000000054D1000-memory.dmp
memory/1832-118-0x00000000054B0000-0x00000000054B1000-memory.dmp
memory/1832-119-0x00000000055E0000-0x0000000005ADE000-memory.dmp
memory/1832-120-0x0000000007160000-0x0000000007161000-memory.dmp
memory/1832-121-0x0000000005A10000-0x0000000005A1E000-memory.dmp
memory/1832-122-0x0000000008D40000-0x0000000008DD0000-memory.dmp
memory/1832-123-0x000000000B500000-0x000000000B548000-memory.dmp
memory/1168-124-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1168-125-0x000000000041EC63-mapping.dmp
memory/1168-126-0x0000000000400000-0x000000000043A000-memory.dmp