Analysis Overview
SHA256
9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494
Threat Level: Known bad
The file 9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494 was found to be: Known bad.
Malicious Activity Summary
Taurus Stealer
Taurus Stealer Payload
Suspicious use of SetThreadContext
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-09 14:47
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-09 14:47
Reported
2022-03-09 14:49
Platform
win10v2004-en-20220113
Max time kernel
124s
Max time network
145s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3796 set thread context of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe
"C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 3916 -ip 3916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 192
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.39.99:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| NL | 142.250.179.202:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:53 | oneocsp.microsoft.com | udp |
| US | 131.253.33.203:80 | oneocsp.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 2.21.41.70:80 | www.microsoft.com | tcp |
Files
memory/3796-133-0x0000000000310000-0x00000000003DC000-memory.dmp
memory/3796-134-0x0000000075210000-0x00000000759C0000-memory.dmp
memory/3796-135-0x0000000004CC0000-0x0000000004D5C000-memory.dmp
memory/3796-136-0x0000000007A20000-0x0000000007FC4000-memory.dmp
memory/3796-137-0x0000000007550000-0x00000000075E2000-memory.dmp
memory/3796-138-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
memory/3796-139-0x0000000007920000-0x0000000007942000-memory.dmp
memory/3916-140-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3916-141-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3916-142-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-09 14:47
Reported
2022-03-09 14:49
Platform
win7-20220223-en
Max time kernel
4294177s
Max time network
121s
Command Line
Signatures
Taurus Stealer
Taurus Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 528 set thread context of 668 | N/A | C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe
"C:\Users\Admin\AppData\Local\Temp\9db755614d0680ac122b3b5afd1007c364918cd81559722da326ca54de017494.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 36
Network
Files
memory/528-54-0x0000000000BD0000-0x0000000000C9C000-memory.dmp
memory/528-55-0x0000000000380000-0x00000000003A0000-memory.dmp
memory/528-56-0x00000000004B0000-0x00000000004D4000-memory.dmp
memory/528-57-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/528-58-0x0000000004A90000-0x0000000004A91000-memory.dmp
memory/528-59-0x0000000000590000-0x00000000005A2000-memory.dmp
memory/668-60-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-62-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-64-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-66-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-68-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-70-0x0000000000400000-0x0000000000437000-memory.dmp
memory/668-72-0x0000000000400000-0x0000000000437000-memory.dmp