Analysis
-
max time kernel
139s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
d5a65bcb8dd9d114905b89ded4e7bb63.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
d5a65bcb8dd9d114905b89ded4e7bb63.exe
-
Size
413KB
-
MD5
d5a65bcb8dd9d114905b89ded4e7bb63
-
SHA1
3cfc435712b0209824b174070fce8305d1d40aa8
-
SHA256
2cb9e05e7fd9fa681b295d9a6cf8a5ce57917f0c8d525e991ce6fd50d8661d35
-
SHA512
adfbba9093626f63f466c63b7d28f7c3b8612cbc25301ecd05798eb3759e9443afeb6deafac039dbb128a8834f45fae348be6947bd183246b4c24dba5dd93a21
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3608-116-0x00000000025B0000-0x00000000025E8000-memory.dmp family_taurus_stealer behavioral2/memory/3608-117-0x0000000000400000-0x0000000000860000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3972 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d5a65bcb8dd9d114905b89ded4e7bb63.execmd.exedescription pid process target process PID 3608 wrote to memory of 3228 3608 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 3608 wrote to memory of 3228 3608 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 3608 wrote to memory of 3228 3608 d5a65bcb8dd9d114905b89ded4e7bb63.exe cmd.exe PID 3228 wrote to memory of 3972 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3972 3228 cmd.exe timeout.exe PID 3228 wrote to memory of 3972 3228 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe"C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\d5a65bcb8dd9d114905b89ded4e7bb63.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:3972