Analysis
-
max time kernel
139s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe
Resource
win7-20220414-en
General
-
Target
a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe
-
Size
340KB
-
MD5
2698acb7cbe77cc6fe1c91b9ae6a094a
-
SHA1
1b248628cd297083f9ba7a74f03aa62ed43d4bd1
-
SHA256
a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a
-
SHA512
12ea18d4b8ad3853e5200c6bf552c5d45f2dc5678ed8fdf31ac99a56f9fd913068a0f5b9fd758a4452b2f11ba84283398f674028cb269e27536fef373c9b82d6
Malware Config
Signatures
-
Taurus Stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2304-132-0x0000000006580000-0x00000000065B6000-memory.dmp family_taurus_stealer behavioral2/memory/2304-133-0x0000000000400000-0x00000000047D9000-memory.dmp family_taurus_stealer behavioral2/memory/2304-134-0x0000000000400000-0x00000000047D9000-memory.dmp family_taurus_stealer behavioral2/memory/2304-137-0x0000000000400000-0x00000000047D9000-memory.dmp family_taurus_stealer -
Processes:
resource yara_rule behavioral2/memory/2304-130-0x0000000000400000-0x00000000047D9000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3328 2304 WerFault.exe a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2328 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.execmd.exedescription pid process target process PID 2304 wrote to memory of 480 2304 a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe cmd.exe PID 2304 wrote to memory of 480 2304 a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe cmd.exe PID 2304 wrote to memory of 480 2304 a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe cmd.exe PID 480 wrote to memory of 2328 480 cmd.exe timeout.exe PID 480 wrote to memory of 2328 480 cmd.exe timeout.exe PID 480 wrote to memory of 2328 480 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe"C:\Users\Admin\AppData\Local\Temp\a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\a47bd76b1a8fad38780fb7d983d6634d565c42c6da702eb630218fcab05a2e4a.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 13122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2304 -ip 23041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/480-135-0x0000000000000000-mapping.dmp
-
memory/2304-130-0x0000000000400000-0x00000000047D9000-memory.dmpFilesize
67.8MB
-
memory/2304-131-0x0000000004F10000-0x0000000004F31000-memory.dmpFilesize
132KB
-
memory/2304-132-0x0000000006580000-0x00000000065B6000-memory.dmpFilesize
216KB
-
memory/2304-133-0x0000000000400000-0x00000000047D9000-memory.dmpFilesize
67.8MB
-
memory/2304-134-0x0000000000400000-0x00000000047D9000-memory.dmpFilesize
67.8MB
-
memory/2304-137-0x0000000000400000-0x00000000047D9000-memory.dmpFilesize
67.8MB
-
memory/2328-136-0x0000000000000000-mapping.dmp