Analysis

  • max time kernel
    171s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-02-2022 10:12

General

  • Target

    DHL e-invoice.exe

  • Size

    552KB

  • MD5

    61357a67bf27e938176cb2fa6297c360

  • SHA1

    997320dee58e2c5b1e09f7f4622dea60832b1afb

  • SHA256

    8f7d1999ac5ed03e1c7af4a42100690e2ca326b4219faad33cfc698bc56c4d63

  • SHA512

    cde36d52cf18fc3b6f77a6c33aa4f603a24da93fd75c29dfd36fa63a3a4c21409d492566f0ad030e15a18d3fc7d69025c6f62a93181882a3b0f78bc743f82a45

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Taurus Stealer Payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL e-invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL e-invoice.exe"
    1⤵
      PID:1280
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2784
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3696
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1280-130-0x00000000021D0000-0x000000000224D000-memory.dmp

      Filesize

      500KB

    • memory/1280-131-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB