Analysis
-
max time kernel
4294181s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
09-03-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe
Resource
win7-20220223-en
0 signatures
0 seconds
General
-
Target
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe
-
Size
774KB
-
MD5
1f9f7e9daf64b52198b59b432d3dd852
-
SHA1
784b9bf1830d887ba6b0dccb0ace6058553f12c1
-
SHA256
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee
-
SHA512
0fac9a19ac606813eb42203497b8b104b6b80e1b2b00e5a7a5302ba80e3634dc42b0ed1f3947d19e13f150448f9a518db96938d45959fdf51310b0f45445655c
Malware Config
Signatures
-
Taurus Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1204-65-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/1204-67-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/1204-69-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/1204-63-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/1204-71-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exedescription pid process target process PID 964 set thread context of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1888 1204 WerFault.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exepid process 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exedescription pid process Token: SeDebugPrivilege 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exedescription pid process target process PID 964 wrote to memory of 1068 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1068 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1068 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1068 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 964 wrote to memory of 1204 964 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe PID 1204 wrote to memory of 1888 1204 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe WerFault.exe PID 1204 wrote to memory of 1888 1204 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe WerFault.exe PID 1204 wrote to memory of 1888 1204 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe WerFault.exe PID 1204 wrote to memory of 1888 1204 0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe"C:\Users\Admin\AppData\Local\Temp\0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe"{path}"2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\0eabc0c432964bfd9ac2cc2015cff3c168fee3a0c3a7f6cd36deb7e1024617ee.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 363⤵
- Program crash
PID:1888