Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 20:24
Static task
static1
Behavioral task
behavioral1
Sample
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe
-
Size
925KB
-
MD5
3589b2a4fe7f455f43e03c76fafc9c98
-
SHA1
a814ea0a7230ee5fb40a5aa18d3f16093f73b55f
-
SHA256
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7
-
SHA512
1f92efe9c905d30e9859ac26212c79db2f65081efbc1070e9928bcca0df99b1779a1628633cc727843099aff69d10cd2b5c576c9e2f6f9c42a11ac1c0cddd1b8
-
SSDEEP
12288:W+DhHLSmf6G/xy67pr7qvGVMkfzSXEvxPcLJPpQf5:DrXf9YwpUkfzSUvxPcVxC5
Malware Config
Signatures
-
Taurus Stealer payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/208-136-0x0000000000000000-mapping.dmp family_taurus_stealer behavioral2/memory/208-137-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/208-138-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/208-139-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/208-140-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/208-142-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exedescription pid process target process PID 4488 set thread context of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3996 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exedescription pid process Token: SeDebugPrivilege 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exeAddInProcess32.execmd.exedescription pid process target process PID 4488 wrote to memory of 4304 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 4304 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 4304 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 4488 wrote to memory of 208 4488 7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe AddInProcess32.exe PID 208 wrote to memory of 5012 208 AddInProcess32.exe cmd.exe PID 208 wrote to memory of 5012 208 AddInProcess32.exe cmd.exe PID 208 wrote to memory of 5012 208 AddInProcess32.exe cmd.exe PID 5012 wrote to memory of 3996 5012 cmd.exe timeout.exe PID 5012 wrote to memory of 3996 5012 cmd.exe timeout.exe PID 5012 wrote to memory of 3996 5012 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe"C:\Users\Admin\AppData\Local\Temp\7f3c69c97fcc1374540adaf6eba5ad6159faa11d57a64d92784f84e4a2bf6de7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:4304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:3996
-
-
-