Analysis Overview
SHA256
61bca95b6a024da3cc6ac31c4e24d470d9750a6838cf285136ba7a70f9be847e
Threat Level: Known bad
The file a1ce7b26712e1db177d86fa87d09c354.bin was found to be: Known bad.
Malicious Activity Summary
Gurcu, WhiteSnake
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-28 01:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-28 01:44
Reported
2023-05-28 01:47
Platform
win7-20230220-en
Max time kernel
46s
Max time network
34s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
Network
Files
memory/1284-54-0x0000000000350000-0x0000000000426000-memory.dmp
memory/1284-55-0x0000000004A10000-0x0000000004A50000-memory.dmp
memory/1284-56-0x00000000004D0000-0x00000000004E0000-memory.dmp
memory/1284-57-0x0000000004A10000-0x0000000004A50000-memory.dmp
memory/1284-58-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/1284-59-0x0000000007F60000-0x0000000007FF0000-memory.dmp
memory/1284-60-0x00000000044B0000-0x000000000450C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-28 01:44
Reported
2023-05-28 01:47
Platform
win10v2004-20230220-en
Max time kernel
59s
Max time network
128s
Command Line
Signatures
Gurcu, WhiteSnake
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3384 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1864
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FR | 40.79.141.154:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/3384-133-0x0000000000FA0000-0x0000000001076000-memory.dmp
memory/3384-134-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/3384-135-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/3384-136-0x00000000059D0000-0x00000000059DA000-memory.dmp
memory/3384-137-0x0000000005BC0000-0x0000000005BD0000-memory.dmp
memory/3384-138-0x0000000005BC0000-0x0000000005BD0000-memory.dmp
memory/3384-139-0x0000000009920000-0x00000000099BC000-memory.dmp
memory/5056-140-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e.exe.log
| MD5 | 7cad59aef5a93f093b6ba494f13f796f |
| SHA1 | 3cef97b77939bfc06dfd3946fc1a8cd159f67100 |
| SHA256 | 1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55 |
| SHA512 | 8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b |
memory/5056-143-0x0000000005360000-0x0000000005370000-memory.dmp