gurcu | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-09-2023 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369204590CE91E77109E21A298753522.exe
Size

119KB
MD5

369204590ce91e77109e21a298753522
SHA1

e981f0c86c42e9e8fcbc7dcff0e05c35887a3869
SHA256

a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
SHA512

bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32
SSDEEP

3072:P56Q4BB1q/hJcq4YZRKsySYSLLx9yLjj6TG6WVt9bm+EFyW43LORzMJS/3:Fha6BuQdwLKTGLt9bmhD4q1Mc

Score

10^/10

gurcu collection spyware stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 7 IoCs

resource	yara_rule
behavioral1/memory/2300-1-0x0000000000E50000-0x0000000000E74000-memory.dmp	family_gurcu_v3
behavioral1/memory/2300-2-0x000000001B050000-0x000000001B0D0000-memory.dmp	family_gurcu_v3
behavioral1/files/0x000b000000012276-7.dat	family_gurcu_v3
behavioral1/files/0x000b000000012276-8.dat	family_gurcu_v3
behavioral1/memory/2724-9-0x00000000008D0000-0x00000000008F4000-memory.dmp	family_gurcu_v3
behavioral1/memory/2724-11-0x000000001B330000-0x000000001B3B0000-memory.dmp	family_gurcu_v3
behavioral1/files/0x000b000000012276-78.dat	family_gurcu_v3

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
1376	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	369204590CE91E77109E21A298753522.exe
564	369204590CE91E77109E21A298753522.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2268	2724	WerFault.exe	33
2156	564	WerFault.exe	39

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	369204590CE91E77109E21A298753522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	369204590CE91E77109E21A298753522.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	369204590CE91E77109E21A298753522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	369204590CE91E77109E21A298753522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	369204590CE91E77109E21A298753522.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	369204590CE91E77109E21A298753522.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2688	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	369204590CE91E77109E21A298753522.exe
564	369204590CE91E77109E21A298753522.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	369204590CE91E77109E21A298753522.exe
Token: SeDebugPrivilege	2724	369204590CE91E77109E21A298753522.exe
Token: SeDebugPrivilege	564	369204590CE91E77109E21A298753522.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1376	2300	369204590CE91E77109E21A298753522.exe	28
PID 2300 wrote to memory of 1376	2300	369204590CE91E77109E21A298753522.exe	28
PID 2300 wrote to memory of 1376	2300	369204590CE91E77109E21A298753522.exe	28
PID 1376 wrote to memory of 2616	1376	cmd.exe	30
PID 1376 wrote to memory of 2616	1376	cmd.exe	30
PID 1376 wrote to memory of 2616	1376	cmd.exe	30
PID 1376 wrote to memory of 2688	1376	cmd.exe	31
PID 1376 wrote to memory of 2688	1376	cmd.exe	31
PID 1376 wrote to memory of 2688	1376	cmd.exe	31
PID 1376 wrote to memory of 2596	1376	cmd.exe	32
PID 1376 wrote to memory of 2596	1376	cmd.exe	32
PID 1376 wrote to memory of 2596	1376	cmd.exe	32
PID 1376 wrote to memory of 2724	1376	cmd.exe	33
PID 1376 wrote to memory of 2724	1376	cmd.exe	33
PID 1376 wrote to memory of 2724	1376	cmd.exe	33
PID 2724 wrote to memory of 2268	2724	369204590CE91E77109E21A298753522.exe	35
PID 2724 wrote to memory of 2268	2724	369204590CE91E77109E21A298753522.exe	35
PID 2724 wrote to memory of 2268	2724	369204590CE91E77109E21A298753522.exe	35
PID 1080 wrote to memory of 564	1080	taskeng.exe	39
PID 1080 wrote to memory of 564	1080	taskeng.exe	39
PID 1080 wrote to memory of 564	1080	taskeng.exe	39
PID 564 wrote to memory of 2156	564	369204590CE91E77109E21A298753522.exe	40
PID 564 wrote to memory of 2156	564	369204590CE91E77109E21A298753522.exe	40
PID 564 wrote to memory of 2156	564	369204590CE91E77109E21A298753522.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	369204590CE91E77109E21A298753522.exe

C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe
"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2616
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2688
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2596
- - C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2724 -s 2868
      4⤵
      Program crash
      PID:2268

C:\Windows\system32\taskeng.exe
taskeng.exe {0516550A-1641-4A9B-82AA-D1C8A7E5B693} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
  C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:564
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 564 -s 2952
    3⤵
    - Program crash
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8c2307c84f29f371ed8369fe7a0ebd6

SHA1
44f1ff2f7f865a21d4b742a65644ac562a288f01

SHA256
4ddd066007e4f287250340425b71ac9ef4c50eb8a222a785429a7b98fd8e6fba

SHA512
104851eaf146457546f7494111d9441f0775899f147902f6379b810cc02e6fe08d077646af00dac4fd6309ac70c85b9b50da94c50589c84edfbff5e2a0871a02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f03b146b2e78605d53368549e6d94f18

SHA1
814f228b5a9880f56dabf2ba5581735aae73b691

SHA256
f84ddcac3ba57e6e3fe1cade0bd844ec3511691fab1754067a921ae92c067419

SHA512
24c02099beaf7965ed03ddca461cb2739da9cdac31ad4011aea777de5a94c6bbd925cc9cdb03435c3b77190935722647d532b83c43bdaff2d7032f0ac76ca034

Download Submit
C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

Filesize
4B

MD5
baed9f51d412c2514ee46a0942138ad6

SHA1
45936e464b0f4fb92fed14504f9c50a909729e99

SHA256
07492b151560912565b471452f8baadbf3bc80c73814708053d9e4fb7e6e1401

SHA512
32e44fd6b30ffee03bbd7eab1000f2ab43defbef6b74aba10eaf0788000167883cdcd0eaf14e9fe0d52ab160d687199634ea2fe1d807399f3ac9bfe2ae62af23

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

Filesize
119KB

MD5
369204590ce91e77109e21a298753522

SHA1
e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

SHA512
bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

Filesize
119KB

MD5
369204590ce91e77109e21a298753522

SHA1
e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

SHA512
bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

Filesize
119KB

MD5
369204590ce91e77109e21a298753522

SHA1
e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

SHA512
bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD27E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2C0.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

Filesize
41B

MD5
1dc1f257ec74e0488f5e190eae799941

SHA1
93cdcdacd427c6154c12475d5a809495d0d55b3b

SHA256
04aa645fad7315470fc6be35f94cf06c65e592f32da763bd140d6bd36d5bc7d3

SHA512
5e092057d83adc2299e3553e43cd5191a83969bcb5ed6edf824da9c0d6097d839395119bc4ecb9041c26539e6611c9e31750c3e61f05b67b8a5bc129f6bfbb53

Download Submit
memory/564-79-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

Filesize
9.9MB

Download
memory/564-103-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/564-102-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

Filesize
9.9MB

Download
memory/564-80-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2300-2-0x000000001B050000-0x000000001B0D0000-memory.dmp

Filesize
512KB

Download
memory/2300-5-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-1-0x0000000000E50000-0x0000000000E74000-memory.dmp

Filesize
144KB

Download
memory/2300-0-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-77-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2724-76-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-11-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2724-9-0x00000000008D0000-0x00000000008F4000-memory.dmp

Filesize
144KB

Download
memory/2724-10-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

Filesize
9.9MB

Download