Analysis
-
max time kernel
82s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-05-2021 19:02
Static task
static1
Behavioral task
behavioral1
Sample
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
-
Size
697KB
-
MD5
0be6ab4816802522b78b028573e9319a
-
SHA1
a237b8fe0d498a6db268e09122a362738505f134
-
SHA256
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7
-
SHA512
9cd99fac517c5193217211ed74264a24285ed73ed0864391fa0a2db0e9d2ab129a52a39a629f5a216a6e0613effff70c8f72a0bfdaa9b2ae11f873804b57e13a
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2144-121-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral2/memory/2144-122-0x000000000041EB40-mapping.dmp family_taurus_stealer behavioral2/memory/2144-123-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 2204 set thread context of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3152 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process Token: SeDebugPrivilege 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exeAddInProcess32.execmd.exedescription pid process target process PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2204 wrote to memory of 2144 2204 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 2144 wrote to memory of 1588 2144 AddInProcess32.exe cmd.exe PID 2144 wrote to memory of 1588 2144 AddInProcess32.exe cmd.exe PID 2144 wrote to memory of 1588 2144 AddInProcess32.exe cmd.exe PID 1588 wrote to memory of 3152 1588 cmd.exe timeout.exe PID 1588 wrote to memory of 3152 1588 cmd.exe timeout.exe PID 1588 wrote to memory of 3152 1588 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:3152