Analysis
-
max time kernel
123s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
e48448d2eff914c9ade6cd4fa03a2871.exe
Resource
win7-en-20210920
0 signatures
0 seconds
General
-
Target
e48448d2eff914c9ade6cd4fa03a2871.exe
-
Size
456KB
-
MD5
e48448d2eff914c9ade6cd4fa03a2871
-
SHA1
6c193b4f03904955c6a00e08cc46abe8192fb693
-
SHA256
50c3094cb95527f4530bc12cf307a00f2de46c42b81b38aa224842afceaedb67
-
SHA512
e0f554a574f137fa8bb6b1044e1d4a0db7fc178fed8a764b952fc8e904481764c01661eb9fde42eea09701a18031ee826ab990597a32cc8e8a9fd439a0fc24d6
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1172-57-0x0000000000400000-0x000000000086A000-memory.dmp family_taurus_stealer behavioral1/memory/1172-56-0x00000000001B0000-0x00000000001E8000-memory.dmp family_taurus_stealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 396 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e48448d2eff914c9ade6cd4fa03a2871.execmd.exedescription pid process target process PID 1172 wrote to memory of 960 1172 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 1172 wrote to memory of 960 1172 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 1172 wrote to memory of 960 1172 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 1172 wrote to memory of 960 1172 e48448d2eff914c9ade6cd4fa03a2871.exe cmd.exe PID 960 wrote to memory of 396 960 cmd.exe timeout.exe PID 960 wrote to memory of 396 960 cmd.exe timeout.exe PID 960 wrote to memory of 396 960 cmd.exe timeout.exe PID 960 wrote to memory of 396 960 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe"C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\e48448d2eff914c9ade6cd4fa03a2871.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:396