Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 10:02
General
-
Target
bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe
-
Size
1.7MB
-
MD5
a4626ce09b592d661c3a053cffbbbbbf
-
SHA1
9210bac9eccce0b73afbeec21bce029fa873d024
-
SHA256
bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618
-
SHA512
99a0844367530a9be796c99d86fbf234dec9390b0c580b5303fd8cc9c0fd02ce7661a4f111c2652d3b3b26e6a1354bb6ef78119960066e27cc311d932975ced0
-
SSDEEP
49152:wLMHj1x0js2+7Z285wh2BOi3LaKLWaejEA:wAHjH0FKZ22wEwi3LPaa
Malware Config
Signatures
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Taurus Stealer payload 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe"C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\bf4a76c73c784edff7a499cdc5284f6a6e5d0e4ae6074097feaa5e9b086ee618.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2224-132-0x0000000000010000-0x0000000000415000-memory.dmpFilesize
4.0MB
-
memory/2224-133-0x0000000000010000-0x0000000000415000-memory.dmpFilesize
4.0MB
-
memory/2224-135-0x0000000000010000-0x0000000000415000-memory.dmpFilesize
4.0MB
-
memory/2224-134-0x00000000776D0000-0x0000000077873000-memory.dmpFilesize
1.6MB
-
memory/2224-136-0x0000000000010000-0x0000000000415000-memory.dmpFilesize
4.0MB
-
memory/2224-138-0x0000000000010000-0x0000000000415000-memory.dmpFilesize
4.0MB
-
memory/2224-139-0x00000000776D0000-0x0000000077873000-memory.dmpFilesize
1.6MB
-
memory/3812-137-0x0000000000000000-mapping.dmp
-
memory/4088-140-0x0000000000000000-mapping.dmp