Analysis
-
max time kernel
169s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 16:53
Static task
static1
Behavioral task
behavioral1
Sample
0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
Resource
win7-20220414-en
General
-
Target
0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe
-
Size
314KB
-
MD5
8391150bd1e9ee175e448aa45b58414f
-
SHA1
0e4aff0bc949292f5500539a655e684f22c9953a
-
SHA256
0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0
-
SHA512
1f3c19b3f635f7836bccc0eecffbb94f385acafdbb47b93201a63c73b906f223fa59bc5a4b5ba9ecb9d9b06085f80479341bc84aa9df6941dd5ae451c4476961
Malware Config
Signatures
-
Taurus Stealer payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2528-130-0x0000000000400000-0x00000000047D0000-memory.dmp family_taurus_stealer behavioral2/memory/2528-132-0x00000000047D0000-0x0000000004806000-memory.dmp family_taurus_stealer behavioral2/memory/2528-133-0x0000000000400000-0x00000000047D0000-memory.dmp family_taurus_stealer behavioral2/memory/2528-134-0x0000000000400000-0x00000000047D0000-memory.dmp family_taurus_stealer behavioral2/memory/2528-137-0x0000000000400000-0x00000000047D0000-memory.dmp family_taurus_stealer -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1956 2528 WerFault.exe 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4352 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.execmd.exedescription pid process target process PID 2528 wrote to memory of 4172 2528 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe cmd.exe PID 2528 wrote to memory of 4172 2528 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe cmd.exe PID 2528 wrote to memory of 4172 2528 0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe cmd.exe PID 4172 wrote to memory of 4352 4172 cmd.exe timeout.exe PID 4172 wrote to memory of 4352 4172 cmd.exe timeout.exe PID 4172 wrote to memory of 4352 4172 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe"C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\0c70017cfb5a22479524853245888f9ed16de11134079af2c47acaff0af86af0.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:4352
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 12442⤵
- Program crash
PID:1956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2528 -ip 25281⤵PID:3324