Analysis
-
max time kernel
4294177s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
09-03-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe
Resource
win7-20220223-en
0 signatures
0 seconds
General
-
Target
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe
-
Size
801KB
-
MD5
2a5aa786a74b538e4dbc2c1f98b62773
-
SHA1
a43cd6b0bbe223e9bf270b47b24076f69e78959a
-
SHA256
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494
-
SHA512
31d65c02e9a1eabff4071980de8f8998ac43cbfe96dd4da652de7d1f31ff751791b495471697220b5beddcd01d28571b777f5a2c1fce915b751f829c6dbcb6c4
Malware Config
Signatures
-
Taurus Stealer Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/668-64-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/668-66-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/668-68-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/668-70-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/668-72-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exedescription pid process target process PID 528 set thread context of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 304 668 WerFault.exe mscorsvw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exedescription pid process Token: SeDebugPrivilege 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exemscorsvw.exedescription pid process target process PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 528 wrote to memory of 668 528 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe mscorsvw.exe PID 668 wrote to memory of 304 668 mscorsvw.exe WerFault.exe PID 668 wrote to memory of 304 668 mscorsvw.exe WerFault.exe PID 668 wrote to memory of 304 668 mscorsvw.exe WerFault.exe PID 668 wrote to memory of 304 668 mscorsvw.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe"C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 363⤵
- Program crash
PID:304