Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
-
Size
720KB
-
MD5
971c48d6dc3f593485bf2577266d2da7
-
SHA1
a9d1b83dd950414be286ec41365ac9b6bfe1bcbf
-
SHA256
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f
-
SHA512
89229a9e4fb51ef1e7aba83703bd08677a59c416136cb6d5c5df0804e4481c48d655bbc394295eb1858a2de0994e63b3daf67ed9678bc948be4aa6b159606819
Malware Config
Signatures
-
Taurus Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4456-136-0x0000000000400000-0x0000000000431000-memory.dmp family_taurus_stealer behavioral2/memory/4456-137-0x0000000000400000-0x0000000000431000-memory.dmp family_taurus_stealer behavioral2/memory/4456-138-0x0000000000400000-0x0000000000431000-memory.dmp family_taurus_stealer behavioral2/memory/4456-139-0x0000000000400000-0x0000000000431000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exedescription pid process target process PID 3012 set thread context of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1856 4456 WerFault.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 4008 4456 WerFault.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exepid process 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exedescription pid process Token: SeDebugPrivilege 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exedescription pid process target process PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe PID 3012 wrote to memory of 4456 3012 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe 8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe"C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8523a03188911d6b07fd467ae4a6df79a139c746345031941a8b4a6da369275f.exe"{path}"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 18603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 18323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4456 -ip 44561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3012-130-0x0000000000D20000-0x0000000000DDA000-memory.dmpFilesize
744KB
-
memory/3012-131-0x0000000005D90000-0x0000000006334000-memory.dmpFilesize
5.6MB
-
memory/3012-132-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/3012-133-0x0000000005790000-0x000000000579A000-memory.dmpFilesize
40KB
-
memory/3012-134-0x0000000009240000-0x00000000092DC000-memory.dmpFilesize
624KB
-
memory/4456-135-0x0000000000000000-mapping.dmp
-
memory/4456-136-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4456-137-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4456-138-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/4456-139-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB