Analysis
-
max time kernel
303s -
max time network
313s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-08-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
HyperX Contract with the YouTube channel Marty.pdf.exe
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
HyperX Contract with the YouTube channel Marty.pdf.exe
-
Size
690.5MB
-
MD5
1faedbbdaf9f59894654c5969f5cdd3a
-
SHA1
0c02903ced0c3f61e25a848e935ce8ae14fbac31
-
SHA256
5e30029b54ec17f048e63d034ff1ae9700ec13c14020d1c2c490b5c126cb3fbd
-
SHA512
3e5b5274a8934f9fe94198fef0601579291057f2f922c067b2e9158bda634680b8d0a1aa84d084c456f3bb9c18f65bdeaec46d15c8a6580323c660bfefb7771b
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/640-115-0x0000000000400000-0x0000000000478000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2224 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HyperX Contract with the YouTube channel Marty.pdf.execmd.exedescription pid process target process PID 640 wrote to memory of 192 640 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 640 wrote to memory of 192 640 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 640 wrote to memory of 192 640 HyperX Contract with the YouTube channel Marty.pdf.exe cmd.exe PID 192 wrote to memory of 2224 192 cmd.exe timeout.exe PID 192 wrote to memory of 2224 192 cmd.exe timeout.exe PID 192 wrote to memory of 2224 192 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\HyperX Contract with the YouTube channel Marty.pdf.exe2⤵
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:2224