gurcu | 2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

Analysis

max time kernel
372s
max time network
382s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2023 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Size

599KB
MD5

fdb8081ac26d8de3f7582b2616bcf3e8
SHA1

c46856c1394a0b36f7826285db0d72ae494f15f0
SHA256

2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98
SHA512

0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98
SSDEEP

6144:kH5XgP9i7Nss/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccH89bq3vcebsVDsu:8UkRatpvnzZjDv7oj19yTN3vi1

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Executes dropped EXE 14 IoCs

pid	Process
1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
2224	tor.exe
1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
3144	tor.exe
1672	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
4032	tor.exe
2108	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
5072	tor.exe
2504	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
3732	tor.exe
3876	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
4456	tor.exe
4792	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
5040	tor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2128	1940	WerFault.exe	107
3124	1672	WerFault.exe	118
968	2108	WerFault.exe	126
816	2504	WerFault.exe	131
3600	3876	WerFault.exe	136
5092	4792	WerFault.exe	141

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4248	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	1672	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	2108	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	2504	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	3876	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
Token: SeDebugPrivilege	4792	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4444	4340	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	87
PID 4340 wrote to memory of 4444	4340	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	87
PID 4444 wrote to memory of 4644	4444	cmd.exe	89
PID 4444 wrote to memory of 4644	4444	cmd.exe	89
PID 4444 wrote to memory of 4248	4444	cmd.exe	91
PID 4444 wrote to memory of 4248	4444	cmd.exe	91
PID 4444 wrote to memory of 2804	4444	cmd.exe	92
PID 4444 wrote to memory of 2804	4444	cmd.exe	92
PID 4444 wrote to memory of 1132	4444	cmd.exe	94
PID 4444 wrote to memory of 1132	4444	cmd.exe	94
PID 1132 wrote to memory of 4672	1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	100
PID 1132 wrote to memory of 4672	1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	100
PID 1132 wrote to memory of 2224	1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	102
PID 1132 wrote to memory of 2224	1132	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	102
PID 1940 wrote to memory of 3144	1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	108
PID 1940 wrote to memory of 3144	1940	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	108
PID 1672 wrote to memory of 4032	1672	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	119
PID 1672 wrote to memory of 4032	1672	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	119
PID 2108 wrote to memory of 5072	2108	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	127
PID 2108 wrote to memory of 5072	2108	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	127
PID 2504 wrote to memory of 3732	2504	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	132
PID 2504 wrote to memory of 3732	2504	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	132
PID 3876 wrote to memory of 4456	3876	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	137
PID 3876 wrote to memory of 4456	3876	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	137
PID 4792 wrote to memory of 5040	4792	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	142
PID 4792 wrote to memory of 5040	4792	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
"C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4644
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4248
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2804
- - C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"
      4⤵
      PID:4672
  - - C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
      "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:2224

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1940
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1940 -s 2816
  2⤵
  - Program crash
  PID:2128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1940 -ip 1940
1⤵
PID:3184

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1672 -s 1872
  2⤵
  - Program crash
  PID:3124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 1672 -ip 1672
1⤵
PID:1180

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2108 -s 2192
  2⤵
  - Program crash
  PID:968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 2108 -ip 2108
1⤵
PID:4980

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2504 -s 2160
  2⤵
  - Program crash
  PID:816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2504 -ip 2504
1⤵
PID:4008

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3876 -s 1840
  2⤵
  - Program crash
  PID:3600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3876 -ip 3876
1⤵
PID:4576

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
  "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4792 -s 2200
  2⤵
  - Program crash
  PID:5092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4792 -ip 4792
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98.exe.log

Filesize
1KB

MD5
fc1be6f3f52d5c841af91f8fc3f790cb

SHA1
ac79b4229e0a0ce378ae22fc6104748c5f234511

SHA256
6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

SHA512
2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30B0.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdesc-consensus.tmp

Filesize
2.4MB

MD5
d5a455e55c380c0d6851ce1f0f2b2866

SHA1
bb9ca92d3ee60963326368b298e8c0b9d84c4624

SHA256
b8b8c31f3906ff13a489f0ec8b32c13ea79cf412d51acf595e93b0bc54fa9b49

SHA512
322dedfee1c64eca986bb43dd41cf63c670756e24bce8d4516332e679e4c89f959ce5b8749601b802b88ec2d7173a6945c935faafdeaf9ef04e9582bf677128e

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new

Filesize
4.8MB

MD5
2022238a16ca0b4b07c799cec50d1eca

SHA1
fe30e4e3de0e454d195ab6fc00b38edb28ec509b

SHA256
cccd22b9181d6a5644f60bf1462dbaba75655d94e1831410c0d6e3dad5fc37e1

SHA512
38015e447aea18f57653fd0b4bfb046b12c658145794892d638987893c95e8f4b666f711424917d0381fa1ba13d88ffa1e0c0d3f2bb81f7f959f9a84c11f7e47

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname

Filesize
64B

MD5
b123bc958adab8ad33c642a48c01e463

SHA1
4b404c3f48f7f618b746cd44eedab693fa217fe4

SHA256
18c28904e0703012836765c5d42a3b0bc2585f352858a669c8df14c48015cb70

SHA512
1f41c4fa4af1510b1a65823c8b390fc0067131aa708a05d35ca944fd5368dc42ead15e4ce23f987635df3f7c89653f68e094740ab7beb088a5b37842524b3f15

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat

Filesize
4B

MD5
db5cea26ca37aa09e5365f3e7f5dd9eb

SHA1
b30836d8dce06d547fbb3f470f8c46c0929fd64c

SHA256
468344ce1f2e74f3f5233c3be814c0ae4a90e12b7c4b6524883870110f7ac89a

SHA512
ad69a69cc2108dc26ff9285debdfae6c5eeafbb529618bca6e523a1657808e67d9601a3c9814adc29b044d357c607382e60ec4be1b51cdb26c0d9b68eec7011c

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt

Filesize
218B

MD5
46d0944bd9d27f02bf292ffe0d53192b

SHA1
1360c2e7bec6f60535e94f0688ea857e2f7c9438

SHA256
73a86944304f8b868250c5107cceb883b0e90d1118ef8808bd33b43d3c7a7646

SHA512
a21ec2d8819b9f72fbef982452b889842316e97407c0e5d91697dace3986a56c09f05db676efca6afa923e4c075dab4b2407bcd91671849f884756c553cf5e8e

Download Submit
memory/1132-145-0x0000022168C60000-0x0000022168C70000-memory.dmp

Filesize
64KB

Download
memory/1132-148-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1132-161-0x0000022168C60000-0x0000022168C70000-memory.dmp

Filesize
64KB

Download
memory/1132-144-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1672-222-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1672-224-0x000001B1F6750000-0x000001B1F68BA000-memory.dmp

Filesize
1.4MB

Download
memory/1672-225-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1940-207-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1940-211-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/1940-208-0x000001BD20A70000-0x000001BD20A80000-memory.dmp

Filesize
64KB

Download
memory/2108-229-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/2108-227-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/2504-231-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/2504-233-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/3876-241-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/3876-239-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/4340-135-0x00000171C99E0000-0x00000171C99F0000-memory.dmp

Filesize
64KB

Download
memory/4340-139-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp

Filesize
10.8MB

Download
memory/4340-134-0x00007FFA4E160000-0x00007FFA4EC21000-memory.dmp

Filesize
10.8MB

Download
memory/4340-133-0x00000171AF2B0000-0x00000171AF34A000-memory.dmp

Filesize
616KB

Download
memory/4792-251-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download
memory/4792-253-0x00007FFA4DB70000-0x00007FFA4E631000-memory.dmp

Filesize
10.8MB

Download