Analysis
-
max time kernel
119s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 20:38
Static task
static1
Behavioral task
behavioral1
Sample
0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe
Resource
win7-en-20211208
General
-
Target
0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe
-
Size
435KB
-
MD5
e6ee67b002cb6faa103debeb3c903ba6
-
SHA1
fd6a295b24dce06d59173e8e0dbe935c41988ffd
-
SHA256
0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254
-
SHA512
043b8f18eae512b0cc65fcca0ce3f447e459d7bcaccfd5846a481f6f5fac7d047294e10f5485a341ab929e34f1c9ad474d3ff468564e6308b5d7ea35d9698b03
Malware Config
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-56-0x0000000000400000-0x000000000046F000-memory.dmp family_taurus_stealer -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1244 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2004 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.execmd.exedescription pid process target process PID 1684 wrote to memory of 1244 1684 0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe cmd.exe PID 1684 wrote to memory of 1244 1684 0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe cmd.exe PID 1684 wrote to memory of 1244 1684 0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe cmd.exe PID 1684 wrote to memory of 1244 1684 0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe cmd.exe PID 1244 wrote to memory of 2004 1244 cmd.exe timeout.exe PID 1244 wrote to memory of 2004 1244 cmd.exe timeout.exe PID 1244 wrote to memory of 2004 1244 cmd.exe timeout.exe PID 1244 wrote to memory of 2004 1244 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe"C:\Users\Admin\AppData\Local\Temp\0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0789d73d267431f0bf6ed2dea3885a4cc00e185b635b2378ece2f4c3ecaad254.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:2004