Analysis
-
max time kernel
42s -
max time network
203s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-08-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
HyperX Contract with the YouTube channel Marty.pdf.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
HyperX Contract with the YouTube channel Marty.pdf.exe
-
Size
690.5MB
-
MD5
1faedbbdaf9f59894654c5969f5cdd3a
-
SHA1
0c02903ced0c3f61e25a848e935ce8ae14fbac31
-
SHA256
5e30029b54ec17f048e63d034ff1ae9700ec13c14020d1c2c490b5c126cb3fbd
-
SHA512
3e5b5274a8934f9fe94198fef0601579291057f2f922c067b2e9158bda634680b8d0a1aa84d084c456f3bb9c18f65bdeaec46d15c8a6580323c660bfefb7771b
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1104-62-0x0000000000400000-0x0000000000478000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 536 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HyperX Contract with the YouTube channel Marty.pdf.execmd.exedescription pid process target process PID 1104 wrote to memory of 1852 1104 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 1104 wrote to memory of 1852 1104 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 1104 wrote to memory of 1852 1104 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 1104 wrote to memory of 1852 1104 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 1852 wrote to memory of 536 1852 cmd.exe timeout.exe PID 1852 wrote to memory of 536 1852 cmd.exe timeout.exe PID 1852 wrote to memory of 536 1852 cmd.exe timeout.exe PID 1852 wrote to memory of 536 1852 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:536