Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 10:02
General
-
Target
bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe
-
Size
1.7MB
-
MD5
a4626ce09b592d661c3a053cffbbbbbf
-
SHA1
9210bac9eccce0b73afbeec21bce029fa873d024
-
SHA256
bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618
-
SHA512
99a0844367530a9be796c99d86fbf234dec9390b0c580b5303fd8cc9c0fd02ce7661a4f111c2652d3b3b26e6a1354bb6ef78119960066e27cc311d932975ced0
-
SSDEEP
49152:wLMHj1x0js2+7Z285wh2BOi3LaKLWaejEA:wAHjH0FKZ22wEwi3LPaa
Malware Config
Signatures
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Taurus Stealer payload 8 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe"C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1076-63-0x0000000000000000-mapping.dmp
-
memory/1680-65-0x0000000000000000-mapping.dmp
-
memory/1724-57-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/1724-58-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-59-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-60-0x0000000076E90000-0x0000000077010000-memory.dmpFilesize
1.5MB
-
memory/1724-61-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-62-0x0000000076E90000-0x0000000077010000-memory.dmpFilesize
1.5MB
-
memory/1724-56-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-64-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB
-
memory/1724-66-0x0000000076E90000-0x0000000077010000-memory.dmpFilesize
1.5MB
-
memory/1724-55-0x00000000008A0000-0x0000000000CA5000-memory.dmpFilesize
4.0MB