Analysis
-
max time kernel
111s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-03-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe
Resource
win7-en-20211208
General
-
Target
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe
-
Size
505KB
-
MD5
13b24673d1ed4ffce62b623c5842ab37
-
SHA1
fdcd364e3148b2301d778ebe98a00741feca798c
-
SHA256
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b
-
SHA512
476d3fcfca990c9828691e07a2a07ffe069d5a6f91d32292987df2994d112eedf11cc55526ff0fcc71bf9ea508a5453caf2520ec7e35f7f255032f87780f1d43
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3764 created 3216 3764 WerFault.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe -
Taurus Stealer Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3216-134-0x00000000032D0000-0x0000000003306000-memory.dmp family_taurus_stealer behavioral2/memory/3216-135-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 1 IoCs
Processes:
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exepid process 1344 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe upx C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1312 3216 WerFault.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4036 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 1312 WerFault.exe 1312 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1312 WerFault.exe Token: SeBackupPrivilege 1312 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.execmd.exeWerFault.exedescription pid process target process PID 3216 wrote to memory of 1344 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 3216 wrote to memory of 1344 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 3216 wrote to memory of 1344 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe PID 3216 wrote to memory of 1620 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 3216 wrote to memory of 1620 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 3216 wrote to memory of 1620 3216 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe cmd.exe PID 1620 wrote to memory of 4036 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 4036 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 4036 1620 cmd.exe timeout.exe PID 3764 wrote to memory of 3216 3764 WerFault.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe PID 3764 wrote to memory of 3216 3764 WerFault.exe 83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe"C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exeC:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe2⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0b.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:4036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 13362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3216 -ip 32161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe
MD5a767f197a9dab7a2caa273ffaeac4c3a
SHA12fa39063a7431d2bfd9e5ea65cf9ab6a3b4fdb23
SHA256a5d19b118cf998fb745d2f1f3cbe1bdef208ddd15aee2342de2d18c9c903dded
SHA512d5847f1202037bb98c983412117ae435ab1fdab0b96d4c1eb0be58e6e2c530a2b6d5f44736cd51a169486706d0bfe6ead0c1bcce7cec2ee8582436e70c367ced
-
C:\Users\Admin\AppData\Local\Temp\83d364c969b64ac72b8f8eb1e66d60c6915d10d385190d29ba6df82c67167f0bmgr.exe
MD5a767f197a9dab7a2caa273ffaeac4c3a
SHA12fa39063a7431d2bfd9e5ea65cf9ab6a3b4fdb23
SHA256a5d19b118cf998fb745d2f1f3cbe1bdef208ddd15aee2342de2d18c9c903dded
SHA512d5847f1202037bb98c983412117ae435ab1fdab0b96d4c1eb0be58e6e2c530a2b6d5f44736cd51a169486706d0bfe6ead0c1bcce7cec2ee8582436e70c367ced