Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
18-10-2021 10:00
Static task
static1
Behavioral task
behavioral1
Sample
fd02e3d8523e27c5ebe6267860b344ab.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
fd02e3d8523e27c5ebe6267860b344ab.exe
-
Size
414KB
-
MD5
fd02e3d8523e27c5ebe6267860b344ab
-
SHA1
148b940647d6dd95625c0bbda8e2fe599d4246f4
-
SHA256
c6b619c4372f50c8418bce658a2726d59caaa3272f7eabafcde596ee72c2aa00
-
SHA512
674298b81ae66e1bd4a02bc0500f0fb818b5cdaf3f2e26921c95bf496a4447bc2da82d3f4ea62cec90568d310b8c6460727d7c6a58a6589af871b459d35c5fef
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-56-0x00000000003C0000-0x00000000003F8000-memory.dmp family_taurus_stealer behavioral1/memory/2044-57-0x0000000000400000-0x000000000047F000-memory.dmp family_taurus_stealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1564 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 736 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fd02e3d8523e27c5ebe6267860b344ab.execmd.exedescription pid process target process PID 2044 wrote to memory of 1564 2044 fd02e3d8523e27c5ebe6267860b344ab.exe cmd.exe PID 2044 wrote to memory of 1564 2044 fd02e3d8523e27c5ebe6267860b344ab.exe cmd.exe PID 2044 wrote to memory of 1564 2044 fd02e3d8523e27c5ebe6267860b344ab.exe cmd.exe PID 2044 wrote to memory of 1564 2044 fd02e3d8523e27c5ebe6267860b344ab.exe cmd.exe PID 1564 wrote to memory of 736 1564 cmd.exe timeout.exe PID 1564 wrote to memory of 736 1564 cmd.exe timeout.exe PID 1564 wrote to memory of 736 1564 cmd.exe timeout.exe PID 1564 wrote to memory of 736 1564 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd02e3d8523e27c5ebe6267860b344ab.exe"C:\Users\Admin\AppData\Local\Temp\fd02e3d8523e27c5ebe6267860b344ab.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\fd02e3d8523e27c5ebe6267860b344ab.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:736