gurcu | d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

Resubmissions

10-04-2024 02:38

240410-c4pceacb24 10

10-04-2024 02:37

10-04-2024 02:37

10-04-2024 02:37

14-10-2023 01:31

Analysis

max time kernel
118s
max time network
295s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Size

339KB
MD5

1cab66a5c15f97f040fb23d354d04a9c
SHA1

f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256

d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512

a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab
SSDEEP

3072:gdrpN/JlLKd5hkad0lk0vGJGMlngDBXrkhamyeFykt9sxc8eTRLUvenjLM/zNlgl:0UGPUvva+lxXY6uXAJMI9bAV0D

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
1036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2920	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
125	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2572	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2920	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1036	2936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 2936 wrote to memory of 1036	2936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 2936 wrote to memory of 1036	2936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 1036 wrote to memory of 2532	1036	cmd.exe	30
PID 1036 wrote to memory of 2532	1036	cmd.exe	30
PID 1036 wrote to memory of 2532	1036	cmd.exe	30
PID 1036 wrote to memory of 2572	1036	cmd.exe	31
PID 1036 wrote to memory of 2572	1036	cmd.exe	31
PID 1036 wrote to memory of 2572	1036	cmd.exe	31
PID 1036 wrote to memory of 2516	1036	cmd.exe	32
PID 1036 wrote to memory of 2516	1036	cmd.exe	32
PID 1036 wrote to memory of 2516	1036	cmd.exe	32
PID 1036 wrote to memory of 2920	1036	cmd.exe	33
PID 1036 wrote to memory of 2920	1036	cmd.exe	33
PID 1036 wrote to memory of 2920	1036	cmd.exe	33
PID 2920 wrote to memory of 1564	2920	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 2920 wrote to memory of 1564	2920	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 2920 wrote to memory of 1564	2920	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 944 wrote to memory of 1972	944	taskeng.exe	39
PID 944 wrote to memory of 1972	944	taskeng.exe	39
PID 944 wrote to memory of 1972	944	taskeng.exe	39
PID 1972 wrote to memory of 2628	1972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	40
PID 1972 wrote to memory of 2628	1972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	40
PID 1972 wrote to memory of 2628	1972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2532
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2572
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2516
- - C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2920 -s 3788
      4⤵
      PID:1564

C:\Windows\system32\taskeng.exe
taskeng.exe {6C76A583-B7A6-4BEF-ACDC-B1B462D151B0} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
  C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1972
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1972 -s 2540
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8967714f79f1ccd4d0b7de422714f85e

SHA1
ccd22ea0e48b6861f34a5bf3faf35f65e2da461d

SHA256
16cf7985fb4f0c66749b4d4deed7965cb0cfe6fc191dfc99577683a96c0c9889

SHA512
8cba08a0ea9cbcbe7d76c79f0e6209e71d073e0409e86640077127e69d0e3aedbb3eb80a60936e1c33f1a584744d824ba3994413150f087c8588b4ca0b0ee00e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
defdd70821db3fb665bee343a7818b18

SHA1
ca9663c9e41f30c633e4450b29299a7395e4b4cc

SHA256
516169a736f0ebd7a54b3e2da143d051d37636e3b50f04fa7a405db22731299a

SHA512
3fac0da03c19cfb085c3a01c0b4477e46e73896ea11b61b3e11724061adfeef122b1b5e39148be6de10e251dbea35227a420b14fc88dcf60bba28bb284d04fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66228f922c3cbe50c8ce7daae81db55f

SHA1
6b204b96794555d6b5a77e03baf4cbce5c95ad44

SHA256
44766f6142a11193774462a6cfcffc6300992446a05be65fec7a89dc69e62aef

SHA512
2f57b1b131241264cb7f5e1bd7f90f6cf4a6ba2cbd51705a1579aab06c441b1ddcc4efd850a9a1a45a37d6e0b3a689f03fce9b5faf48db4f8f7cabfd8c665fa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
960359e3fcc858daef88fddddec5b523

SHA1
09559f966fc905b4b6d04931bcd70762840cf094

SHA256
29e374a0fbf1d27085dbba37ee5b26ca3301cc32654f2f12886a639da6ceed33

SHA512
e49f6d6db026a28e3a3ec0556446a9ed6e62e399c996a18b5c5d7189f451614b53095e7cd5e968e098dd0f478f12c87f9c64b8147d5a8da9b5155b776f314049

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a995b6aabf90101b15b3fb3a9f635ee

SHA1
69e9758e7586dc351e8dc11a874fe27303df67e4

SHA256
78cc0784269a659561486d5bb39486a79524823f820f18c262a09bde61e78230

SHA512
b87156bf46c619361243b4c6240e8ec8217a5b56eef1c40b81a622017b242ca8625c01cca6fa0acb886ba401167b1a86295da5e59311b9d39a9234cc880a166a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c65a8df1c817323ef61d3a23220663c

SHA1
1b023c127662300f24116fa1db8f405c0ea8ba31

SHA256
2e366ca019ea573dd2f261c5f8a40a39032ba797f6e8ece6c64e2a65706483a4

SHA512
e0425830018c7f700739f36065251f7ce64f51631dcefc804bf6034150a8c56465675f07323136214bded058e5cd1b4de40edfcb921fbf6ccc2fb1dcfd8b3023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d2eee7431fdc4da406f3654915b5518

SHA1
7432e83d7783d65a560637d48433bbcb4072778d

SHA256
55a6941f4e6a422c353873a2dc7ee9c42ca07ce76bedf1f6e3a6c7936c85cbc1

SHA512
c1790cd7922dde70135e842ee2910c42cc906559142bd905bfbd25c8f3b41b961e94be805fe3fe45de2dc51b11f3b43b030345ecb4cd5eed49dc341e47eadfb2

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Filesize
339KB

MD5
1cab66a5c15f97f040fb23d354d04a9c

SHA1
f0dbebd22b2c7bfedbefa4435b345c58416f9448

SHA256
d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

SHA512
a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DED.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3EAF.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E5E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3F11.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\port.dat

Filesize
4B

MD5
85203ae86f2de2662ca5b6d614fbe495

SHA1
92d2b60e49c89f127530350f2ba39326fd90c541

SHA256
010b9063e59e7cf38e4249c2fa85ce9ebe9805fe952dec6776306a9a45862375

SHA512
74e064453619d5f13c08a5601ed5d04eab0a31fd3d5e25d80eb5756fb05815a38eaca2e847999f68c580cb3683eee75e4931d6a09d9b221db3c6018a70af236f

Download Submit
memory/1972-286-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-352-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-353-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/2920-9-0x0000000000900000-0x000000000095C000-memory.dmp

Filesize
368KB

Download
memory/2920-283-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/2920-284-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2920-11-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2920-10-0x000007FEF4960000-0x000007FEF534C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-0-0x0000000001380000-0x00000000013DC000-memory.dmp

Filesize
368KB

Download
memory/2936-5-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-2-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2936-1-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads