Analysis
-
max time kernel
67s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
17-05-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
-
Size
697KB
-
MD5
0be6ab4816802522b78b028573e9319a
-
SHA1
a237b8fe0d498a6db268e09122a362738505f134
-
SHA256
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7
-
SHA512
9cd99fac517c5193217211ed74264a24285ed73ed0864391fa0a2db0e9d2ab129a52a39a629f5a216a6e0613effff70c8f72a0bfdaa9b2ae11f873804b57e13a
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-63-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/316-64-0x000000000041EB40-mapping.dmp family_taurus_stealer behavioral1/memory/316-66-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 1240 set thread context of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 864 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process Token: SeDebugPrivilege 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exeAddInProcess32.execmd.exedescription pid process target process PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1240 wrote to memory of 316 1240 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 316 wrote to memory of 868 316 AddInProcess32.exe cmd.exe PID 316 wrote to memory of 868 316 AddInProcess32.exe cmd.exe PID 316 wrote to memory of 868 316 AddInProcess32.exe cmd.exe PID 316 wrote to memory of 868 316 AddInProcess32.exe cmd.exe PID 868 wrote to memory of 864 868 cmd.exe timeout.exe PID 868 wrote to memory of 864 868 cmd.exe timeout.exe PID 868 wrote to memory of 864 868 cmd.exe timeout.exe PID 868 wrote to memory of 864 868 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:864