Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-05-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
-
Size
697KB
-
MD5
0be6ab4816802522b78b028573e9319a
-
SHA1
a237b8fe0d498a6db268e09122a362738505f134
-
SHA256
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7
-
SHA512
9cd99fac517c5193217211ed74264a24285ed73ed0864391fa0a2db0e9d2ab129a52a39a629f5a216a6e0613effff70c8f72a0bfdaa9b2ae11f873804b57e13a
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2836-121-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral2/memory/2836-122-0x000000000041EB40-mapping.dmp family_taurus_stealer behavioral2/memory/2836-123-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 584 set thread context of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process Token: SeDebugPrivilege 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 584 wrote to memory of 2904 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2904 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2904 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 584 wrote to memory of 2836 584 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:2904
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:2836