Analysis
-
max time kernel
139s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-05-2021 00:01
Static task
static1
Behavioral task
behavioral1
Sample
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe
-
Size
697KB
-
MD5
0be6ab4816802522b78b028573e9319a
-
SHA1
a237b8fe0d498a6db268e09122a362738505f134
-
SHA256
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7
-
SHA512
9cd99fac517c5193217211ed74264a24285ed73ed0864391fa0a2db0e9d2ab129a52a39a629f5a216a6e0613effff70c8f72a0bfdaa9b2ae11f873804b57e13a
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2668-121-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral2/memory/2668-122-0x000000000041EB40-mapping.dmp family_taurus_stealer behavioral2/memory/2668-123-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exedescription pid process target process PID 636 set thread context of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exedescription pid process Token: SeDebugPrivilege 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exedescription pid process target process PID 636 wrote to memory of 1804 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 1804 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 1804 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe PID 636 wrote to memory of 2668 636 11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe"C:\Users\Admin\AppData\Local\Temp\11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:1804
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:2668