Malware Analysis Report

2024-10-19 06:42

Sample ID 231014-eq933aga5v
Target f21559ac7c67d871d4f05.exe
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

Threat Level: Known bad

The file f21559ac7c67d871d4f05.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Modifies system certificate store

Suspicious use of WriteProcessMemory

outlook_win_path

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 04:09

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 04:09

Reported

2023-10-14 21:20

Platform

win10v2004-20230915-en

Max time kernel

32s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 eset.com udp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 github.com udp
NL 216.58.214.14:80 youtube.com tcp
SK 91.228.166.47:80 eset.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
SK 91.228.166.47:80 eset.com tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 140.82.113.4:80 github.com tcp
NL 142.250.179.142:80 google.com tcp
NL 216.58.214.14:80 youtube.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 140.82.113.4:443 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:80 github.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp

Files

memory/4760-0-0x0000023397390000-0x00000233973E8000-memory.dmp

memory/4760-1-0x00007FFBCBD90000-0x00007FFBCC851000-memory.dmp

memory/4760-2-0x00000233B19D0000-0x00000233B19E0000-memory.dmp

memory/4760-6-0x00007FFBCBD90000-0x00007FFBCC851000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f21559ac7c67d871d4f05.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/5092-11-0x00007FFBCB990000-0x00007FFBCC451000-memory.dmp

memory/5092-12-0x0000029B45520000-0x0000029B45530000-memory.dmp

memory/5092-14-0x00007FFBCB990000-0x00007FFBCC451000-memory.dmp

memory/5092-15-0x0000029B45520000-0x0000029B45530000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 04:09

Reported

2023-10-14 21:20

Platform

win7-20230831-en

Max time kernel

91s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 2080 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 2624 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2624 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2624 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2624 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2624 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2624 wrote to memory of 2604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2624 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2624 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2624 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2488 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2488 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2488 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2592 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2592 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2592 wrote to memory of 1512 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A5EA470-934A-4095-82C7-60EC043A16E5} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2488 -s 3100

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 140.82.113.4:80 github.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:80 google.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 140.82.113.4:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.113.4:80 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 140.82.113.4:443 github.com tcp

Files

memory/2080-0-0x0000000000DD0000-0x0000000000E28000-memory.dmp

memory/2080-1-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

memory/2080-2-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2080-5-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

memory/2488-9-0x0000000000C50000-0x0000000000CA8000-memory.dmp

memory/2488-10-0x000007FEF4CE0000-0x000007FEF56CC000-memory.dmp

memory/2488-11-0x000000001AD30000-0x000000001ADB0000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

memory/2552-14-0x000007FEF4CE0000-0x000007FEF56CC000-memory.dmp

memory/2552-15-0x000007FEF4CE0000-0x000007FEF56CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD443.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarD475.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4867ad93cf4266c8d2e60dc572126d9b
SHA1 927eccfd9ce0c4928cef07d562fe150aaf5a9a2d
SHA256 bada32ebe861eb43985035b1f0ae299df93413601371d107b0c9f5e7b73961e5
SHA512 c3620a41ecd93ae814b771b085413cbb65faa3a630517f14cd43f4c859071e25a404d2666e6dd061dcdfe41fabb5701e836b492ceec9e0de1822d881a49e6a6b

memory/2488-80-0x000007FEF4CE0000-0x000007FEF56CC000-memory.dmp

memory/2488-81-0x000000001AD30000-0x000000001ADB0000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

memory/1512-84-0x000007FEF4CE0000-0x000007FEF56CC000-memory.dmp

memory/1512-85-0x000000001B4B0000-0x000000001B530000-memory.dmp

C:\Users\Admin\AppData\Local\z1jp774dks\port.dat

MD5 da4902cb0bc38210839714ebdcf0efc3
SHA1 3820eccabc46f2c4f038c662d6542e8a9bd0de20
SHA256 86af1a4e860588062524f76e3014a080ff3a2b45b9111a7a2125cb7bdb092695
SHA512 ad22e09fbca35d8d7e551a21b5a55c077db086e45591a378ef4eae4af95dc8ca28bd99f6202e62de22834ca8e03d31a62de279f91489888847ce94238dfee35d