Analysis
-
max time kernel
134s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
d5a65bcb8dd9d114905b89ded4e7bb63.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
d5a65bcb8dd9d114905b89ded4e7bb63.exe
-
Size
413KB
-
MD5
d5a65bcb8dd9d114905b89ded4e7bb63
-
SHA1
3cfc435712b0209824b174070fce8305d1d40aa8
-
SHA256
2cb9e05e7fd9fa681b295d9a6cf8a5ce57917f0c8d525e991ce6fd50d8661d35
-
SHA512
adfbba9093626f63f466c63b7d28f7c3b8612cbc25301ecd05798eb3759e9443afeb6deafac039dbb128a8834f45fae348be6947bd183246b4c24dba5dd93a21
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-56-0x0000000000220000-0x0000000000258000-memory.dmp family_taurus_stealer behavioral1/memory/1248-57-0x0000000000400000-0x0000000000860000-memory.dmp family_taurus_stealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1356 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1624 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d5a65bcb8dd9d114905b89ded4e7bb63.execmd.exedescription pid process target process PID 1248 wrote to memory of 1356 1248 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 1248 wrote to memory of 1356 1248 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 1248 wrote to memory of 1356 1248 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 1248 wrote to memory of 1356 1248 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 1356 wrote to memory of 1624 1356 cmd.exe timeout.exe PID 1356 wrote to memory of 1624 1356 cmd.exe timeout.exe PID 1356 wrote to memory of 1624 1356 cmd.exe timeout.exe PID 1356 wrote to memory of 1624 1356 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe"C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:1624