Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 20:24

General

  • Target

    7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe

  • Size

    925KB

  • MD5

    3589b2a4fe7f455f43e03c76fafc9c98

  • SHA1

    a814ea0a7230ee5fb40a5aa18d3f16093f73b55f

  • SHA256

    7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7

  • SHA512

    1f92efe9c905d30e9859ac26212c79db2f65081efbc1070e9928bcca0df99b1779a1628633cc727843099aff69d10cd2b5c576c9e2f6f9c42a11ac1c0cddd1b8

  • SSDEEP

    12288:W+DhHLSmf6G/xy67pr7qvGVMkfzSXEvxPcLJPpQf5:DrXf9YwpUkfzSUvxPcVxC5

Malware Config

Signatures

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Taurus Stealer payload 6 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe
    "C:\Users\Admin\AppData\Local\Temp\7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      2⤵
        PID:4304
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:208
        • C:\Windows\SysWOW64\cmd.exe
          /c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 3
            4⤵
            • Delays execution with timeout.exe
            PID:3996

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/208-136-0x0000000000000000-mapping.dmp

    • memory/208-137-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/208-138-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/208-139-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/208-140-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/208-142-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/3996-143-0x0000000000000000-mapping.dmp

    • memory/4488-132-0x0000000000BE0000-0x0000000000CCC000-memory.dmp

      Filesize

      944KB

    • memory/4488-133-0x0000000005D80000-0x0000000006324000-memory.dmp

      Filesize

      5.6MB

    • memory/4488-134-0x0000000005690000-0x0000000005722000-memory.dmp

      Filesize

      584KB

    • memory/4488-135-0x0000000005740000-0x000000000574A000-memory.dmp

      Filesize

      40KB

    • memory/5012-141-0x0000000000000000-mapping.dmp