Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 22:36
Static task
static1
Behavioral task
behavioral1
Sample
po-202103.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
po-202103.exe
Resource
win10v2004-en-20220113
General
-
Target
po-202103.exe
-
Size
1.1MB
-
MD5
83565d8eac8fbbc1b5392913e329397e
-
SHA1
1795fa118fe0484f3238d94207946a988d6ad97a
-
SHA256
787760272209442be52c110ab48a8af7b6d504725708750685275ccdee2807ec
-
SHA512
9930aa82eec1ce8a046ff194d7ba45b24879f45a594356e325ea04614bd3d8001154da7c1f03074c2905c32750b0f4e1caf92dca86c05ccc2e77b81114721990
Malware Config
Signatures
-
Taurus Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/756-62-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/756-63-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/756-64-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/756-65-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/756-67-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
po-202103.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion po-202103.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion po-202103.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
po-202103.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum po-202103.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 po-202103.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
po-202103.exedescription pid process target process PID 2028 set thread context of 756 2028 po-202103.exe po-202103.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
po-202103.exedescription pid process target process PID 2028 wrote to memory of 1544 2028 po-202103.exe schtasks.exe PID 2028 wrote to memory of 1544 2028 po-202103.exe schtasks.exe PID 2028 wrote to memory of 1544 2028 po-202103.exe schtasks.exe PID 2028 wrote to memory of 1544 2028 po-202103.exe schtasks.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe PID 2028 wrote to memory of 756 2028 po-202103.exe po-202103.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\po-202103.exe"C:\Users\Admin\AppData\Local\Temp\po-202103.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNzYyntiwSm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82B6.tmp"2⤵
- Creates scheduled task(s)
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\po-202103.exe"C:\Users\Admin\AppData\Local\Temp\po-202103.exe"2⤵PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
473715d7d59a5b35c2e89d9ac4e81ffa
SHA1a3f89a904121e70b4bf1540af1141860f934461d
SHA2561307b27071e4aff53304de12942d3adc65fae314410089cb5024e374c0b06bae
SHA5126fe4fdb5796adfa6244894b6ba6e4d3bf13249dc7b6310d765f07c353efff03e17105b83940dd7c59018eff6aac38949af11cc310fa79a7d3b25b3a63f386f47