Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
02-03-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe
Resource
win7-en-20211208
General
-
Target
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe
-
Size
505KB
-
MD5
13b24673d1ed4ffce62b623c5842ab37
-
SHA1
fdcd364e3148b2301d778ebe98a00741feca798c
-
SHA256
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
-
SHA512
476d3fcfca990c9828691e07a2a07ffe069d5a6f91d32292987df2994d112eedf11cc55526ff0fcc71bf9ea508a5453caf2520ec7e35f7f255032f87780f1d43
Malware Config
Signatures
-
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/880-60-0x0000000000250000-0x0000000000286000-memory.dmp family_taurus_stealer behavioral1/memory/880-61-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 1 IoCs
Processes:
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exepid process 1532 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe upx C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe upx \Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1280 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exepid process 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1736 timeout.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.execmd.exedescription pid process target process PID 880 wrote to memory of 1532 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 880 wrote to memory of 1532 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 880 wrote to memory of 1532 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 880 wrote to memory of 1532 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 880 wrote to memory of 1280 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 880 wrote to memory of 1280 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 880 wrote to memory of 1280 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 880 wrote to memory of 1280 880 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 1280 wrote to memory of 1736 1280 cmd.exe timeout.exe PID 1280 wrote to memory of 1736 1280 cmd.exe timeout.exe PID 1280 wrote to memory of 1736 1280 cmd.exe timeout.exe PID 1280 wrote to memory of 1736 1280 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe"C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exeC:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe2⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe
MD5a767f197a9dab7a2caa273ffaeac4c3a
SHA12fa39063a7431d2bfd9e5ea65cf9ab6a3b4fdb23
SHA256a5d19b118cf998fb745d2f1f3cbe1bdef208ddd15aee2342de2d18c9c903dded
SHA512d5847f1202037bb98c983412117ae435ab1fdab0b96d4c1eb0be58e6e2c530a2b6d5f44736cd51a169486706d0bfe6ead0c1bcce7cec2ee8582436e70c367ced
-
\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe
MD5a767f197a9dab7a2caa273ffaeac4c3a
SHA12fa39063a7431d2bfd9e5ea65cf9ab6a3b4fdb23
SHA256a5d19b118cf998fb745d2f1f3cbe1bdef208ddd15aee2342de2d18c9c903dded
SHA512d5847f1202037bb98c983412117ae435ab1fdab0b96d4c1eb0be58e6e2c530a2b6d5f44736cd51a169486706d0bfe6ead0c1bcce7cec2ee8582436e70c367ced
-
\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe
MD5a767f197a9dab7a2caa273ffaeac4c3a
SHA12fa39063a7431d2bfd9e5ea65cf9ab6a3b4fdb23
SHA256a5d19b118cf998fb745d2f1f3cbe1bdef208ddd15aee2342de2d18c9c903dded
SHA512d5847f1202037bb98c983412117ae435ab1fdab0b96d4c1eb0be58e6e2c530a2b6d5f44736cd51a169486706d0bfe6ead0c1bcce7cec2ee8582436e70c367ced