Malware Analysis Report

2024-10-19 06:43

Sample ID 230914-gaadlscd59
Target t536f0746f287ffe6c9131c.exe
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2

Threat Level: Known bad

The file t536f0746f287ffe6c9131c.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies system certificate store

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 05:35

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 05:35

Reported

2023-09-14 05:38

Platform

win7-20230831-en

Max time kernel

118s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe C:\Windows\System32\cmd.exe
PID 2732 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2732 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2732 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2732 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2732 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2732 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2732 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2732 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2732 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 2732 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 2768 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe
PID 2768 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe
PID 2768 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe
PID 432 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 432 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 432 wrote to memory of 2108 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 2108 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe
PID 2108 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe
PID 2108 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe

"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

"C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2768 -s 3620

C:\Windows\system32\taskeng.exe

taskeng.exe {3DF63676-15DE-4F26-B452-BFACB91D8321} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2108 -s 2312

Network

Country Destination Domain Proto
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 104.16.29.98:80 blockchain.com tcp
NL 216.58.214.14:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 8.8.8.8:53 www.blockchain.com udp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.136:80 apps.identrust.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 8.8.8.8:53 eset.com udp
SK 91.228.166.47:80 eset.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 github.com udp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 www.eset.com udp
US 2.18.121.146:443 www.eset.com tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
US 140.82.112.4:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.4:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.112.4:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 2.18.121.146:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.29.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 216.58.214.14:80 www.youtube.com tcp
NL 216.58.214.14:80 www.youtube.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp

Files

memory/2412-0-0x0000000000810000-0x0000000000876000-memory.dmp

memory/2412-1-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

memory/2412-2-0x000000001B2C0000-0x000000001B340000-memory.dmp

memory/2412-5-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186

memory/2768-9-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

memory/2768-10-0x0000000001150000-0x00000000011B6000-memory.dmp

memory/2768-11-0x000000001AC40000-0x000000001ACC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7E47.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar7E69.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6313bf40098d3ce1afaeb4b1fd86f937
SHA1 84cc7474910a710de47e412e323c3eae1749a74c
SHA256 e67e713dcfde2e3c4c9c9ecb4949d46ee82246fa26d4db0840f63585a79815ab
SHA512 2f7220118b73f7424c80259fa8fb10c0a510d7089fd5966f3827a44faa91d8f7942adfc37d5d8e2c628b70e087bb638b4a915f9b1e0f0a5fb6478b68a850d06c

memory/2768-96-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186

memory/2768-98-0x000000001AC40000-0x000000001ACC0000-memory.dmp

memory/2108-99-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

memory/2108-100-0x000000001ABF0000-0x000000001AC70000-memory.dmp

C:\Users\Admin\AppData\Local\wfilbrsbzp\port.dat

MD5 0db2e204010400f5c506620adcd1ae68
SHA1 8af87f35ba1764bffede1c661c6e5e53bc8dcb96
SHA256 7e84b7064b47ed05c8b2f72b8d0fb5ffeacde209308d14ea1535e776b35f523b
SHA512 d90818dd80aa80f86e72c202a50d8bd7f4df6fc688c08f5a1eae9a49412cb4d138c8dccdaa3d17b888a61dd4d7b5bb30cfbf1c22345c223a0726f9518d948ce2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df63f709be4347f3122f927d76190fc8
SHA1 1a91e707fbebb43d89212c6266a10294f4bc5b82
SHA256 9bf3c014effec716c0e63695346b1d80750f919c9fc61dee1acdc1b3ea15e7ea
SHA512 84277c8e78f1005d37e5487c8aea0c766916b743379bb875ccc7fd25dfaf6542074a3b2732b67da4081bb3d7da6fdca99fe72c81559c902e80016b63e3ae4b62

memory/2108-127-0x000007FEF49A0000-0x000007FEF538C000-memory.dmp

memory/2108-128-0x000000001ABF0000-0x000000001AC70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 05:35

Reported

2023-09-14 05:38

Platform

win10v2004-20230831-en

Max time kernel

13s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe C:\Windows\System32\cmd.exe
PID 3956 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1904 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1904 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1904 wrote to memory of 5008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1904 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1904 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1904 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 1904 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
PID 2320 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\System32\tar.exe
PID 2320 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Windows\System32\tar.exe
PID 2320 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe
PID 2320 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe

"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

"C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"

C:\Windows\System32\tar.exe

"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp" -C "C:\Users\Admin\AppData\Local\wfilbrsbzp"

C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe

"C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\wfilbrsbzp\torrc.txt"

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 blockchain.com udp
US 8.8.8.8:53 youtube.com udp
US 104.16.30.98:80 blockchain.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 104.16.30.98:80 blockchain.com tcp
US 8.8.8.8:53 www.blockchain.com udp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 eset.com udp
US 104.16.30.98:80 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 www.eset.com udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 152.195.19.97:443 www.eset.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 8.8.8.8:53 98.30.16.104.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 47.166.228.91.in-addr.arpa udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
SK 91.228.166.47:80 eset.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 152.195.19.97:443 www.eset.com tcp
US 8.8.8.8:53 97.19.195.152.in-addr.arpa udp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 github.com udp
US 140.82.114.3:80 github.com tcp
NL 149.154.167.99:80 telegram.org tcp
NL 149.154.167.99:80 telegram.org tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
LU 213.135.244.242:24071 tcp
US 140.82.114.3:443 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:80 github.com tcp
US 140.82.114.3:80 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
DE 185.183.157.127:9100 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
N/A 127.0.0.1:52550 tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 140.82.114.3:443 github.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
CH 213.144.135.21:443 tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:443 www.blockchain.com tcp
US 104.16.30.98:80 www.blockchain.com tcp

Files

memory/3956-0-0x000002317ACD0000-0x000002317AD36000-memory.dmp

memory/3956-1-0x00007FF893950000-0x00007FF894411000-memory.dmp

memory/3956-2-0x000002317D460000-0x000002317D470000-memory.dmp

memory/3956-6-0x00007FF893950000-0x00007FF894411000-memory.dmp

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\t536f0746f287ffe6c9131c.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186

memory/2320-11-0x00007FF892920000-0x00007FF8933E1000-memory.dmp

memory/2320-12-0x000001776E780000-0x000001776E790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp

MD5 89d2d5811c1aff539bb355f15f3ddad0
SHA1 5bb3577c25b6d323d927200c48cd184a3e27c873
SHA256 b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA512 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\wfilbrsbzp\tor\tor.exe

MD5 88590909765350c0d70c6c34b1f31dd2
SHA1 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA256 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512 a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

C:\Users\Admin\AppData\Local\wfilbrsbzp\torrc.txt

MD5 0fadedfa2c5fb8bc83dd0cedf70bbc13
SHA1 e2129c5ab96b438925b8cee8044b5ee77b3025bc
SHA256 3c6793b6c45631ef0c9c7b659ccb22f0b7276e2f3a9d3a18d71186758e2a31ea
SHA512 608ce02a3801452bf313fd5ccf5e7a32a4215e85066fca8b5e994e93ddd0152678d5472fa58353caa16e8862dca1d70bdc0bf909c9d968ca8c2dc519b3683c2e

C:\Users\Admin\AppData\Local\wfilbrsbzp\host\hostname

MD5 e5ea098def9f25898031bbacfb9aaa15
SHA1 3950d045ca6c5c06860f1f8fdf1c7e6030288afe
SHA256 af3edff20a2a530133e2816119b34d8c85ce01982b072f5163c57cd34cdde6a8
SHA512 fe89752a6aaa9422ffdce301a18f1528c9183918d68c75390f68a68d6bc2db68e57cb9451acfdb5d1105d05847d398f8c0f460b8a27dde779d64cdc133118ea4

C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe

MD5 e4d3a1d9c41d306200aa39ee9f718474
SHA1 7af7cd1865189d69c94fdb28d38b090d322fb134
SHA256 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
SHA512 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186