gurcu | d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

Resubmissions

10-04-2024 02:38

240410-c4pceacb24 10

10-04-2024 02:37

10-04-2024 02:37

10-04-2024 02:37

14-10-2023 01:31

Analysis

max time kernel
845s
max time network
917s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Size

339KB
MD5

1cab66a5c15f97f040fb23d354d04a9c
SHA1

f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256

d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512

a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab
SSDEEP

3072:gdrpN/JlLKd5hkad0lk0vGJGMlngDBXrkhamyeFykt9sxc8eTRLUvenjLM/zNlgl:0UGPUvva+lxXY6uXAJMI9bAV0D

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
1652	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2636	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
488	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2584	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3000	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2636	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	488	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1652	2972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 2972 wrote to memory of 1652	2972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 2972 wrote to memory of 1652	2972	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	28
PID 1652 wrote to memory of 2620	1652	cmd.exe	30
PID 1652 wrote to memory of 2620	1652	cmd.exe	30
PID 1652 wrote to memory of 2620	1652	cmd.exe	30
PID 1652 wrote to memory of 3000	1652	cmd.exe	31
PID 1652 wrote to memory of 3000	1652	cmd.exe	31
PID 1652 wrote to memory of 3000	1652	cmd.exe	31
PID 1652 wrote to memory of 2584	1652	cmd.exe	32
PID 1652 wrote to memory of 2584	1652	cmd.exe	32
PID 1652 wrote to memory of 2584	1652	cmd.exe	32
PID 1652 wrote to memory of 2636	1652	cmd.exe	33
PID 1652 wrote to memory of 2636	1652	cmd.exe	33
PID 1652 wrote to memory of 2636	1652	cmd.exe	33
PID 2636 wrote to memory of 1740	2636	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 2636 wrote to memory of 1740	2636	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 2636 wrote to memory of 1740	2636	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	35
PID 2424 wrote to memory of 488	2424	taskeng.exe	37
PID 2424 wrote to memory of 488	2424	taskeng.exe	37
PID 2424 wrote to memory of 488	2424	taskeng.exe	37
PID 488 wrote to memory of 860	488	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	38
PID 488 wrote to memory of 860	488	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	38
PID 488 wrote to memory of 860	488	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2620
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3000
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2584
- - C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2636 -s 1928
      4⤵
      PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {D00FFEC7-BCB6-4B86-9D57-8744C8A637FA} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
  C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:488
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 488 -s 2096
    3⤵
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5f7a7e3b0a1b697fbbb0436b18e3dee

SHA1
1022d93e04944a63b5d669edcd0ade8842bb6a1f

SHA256
c19a06ea1ae49e6f8974d7595405fa9d7bdd2fbf3633a3f3028416b9ebbe6f36

SHA512
0f7ef576a46c583452fb78aee626be6c6ec9fc561538a0a9a8e7e4b05df3490596069e7cbc342280c89ef19b4443202b0169122e32bef71e2d7d180dab752bf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
298d89a8146e19ee13fc846545dba72d

SHA1
cb063fa7957b44c8f8dad531e6546bb52d59efda

SHA256
14108843206fbdb659fec8e6660dc444e81b03f601f35a8a5bbce6ce11707626

SHA512
a18b8ee7ce7d29ff400296f890d65c2e47cb5eaea6360026b15b120b5c0994539f58234370bbe410c5fdfe54d86275748f97c1779627529ecd3e03f9d67dd321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ff83e909aff4b8d38d56ea2a8697340

SHA1
2f2faf44bb15417b0f516177d1a0266505056f05

SHA256
2853f4c66d23622eb769d54bda64397806381ac57c54c460cb2f0a464c0abe6a

SHA512
0cddf0bbd7ed63637dc3b9893ba7dc6cd15255456ae1eeb8b40d70851c7c565ed558d01f1f1a8794af9dfc7535cf3a8448a7f0e57798708465f33af019ab08ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be2b9fd321e08d92b66b9969b85d7219

SHA1
d60a40f3f59168e839cad1febb702e313dbd4020

SHA256
8870e75b1f3b6ccac6da50c64f7944beda341bed1f0efc531b8856ffb267deba

SHA512
67827a55b340a40ac7c6ebfd7393a19a3ff510730a2dcd64996320a3d56a2be9653ecc8bc5ab1144c6d178bef7b73d862d54cc8dc9f6fa4302a1639890813157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b04f6b63ecee87f18a829c77df67319

SHA1
674398be75b8a4ba0473ce5645bdecec65343d02

SHA256
4368f087601a9d00e5cf6f224e35bdd627195b20090079bec31b3cec4e53c411

SHA512
b73616cef149fabe4f5ef9e14f23de813934020a50494457a39cddcda5aa267012aee90b0fcab2931e96570e16d518278d9d8d5c9b432580d32ac0d5b65a2f2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
44c1d66c617798cdc0c2307951fc7afe

SHA1
3150a9011b022330e16034442b4a4c3c1c0975a0

SHA256
1356e292224643e230f9e863357e4edbf5cbd23b4d806d3a0cc2d826eb54677d

SHA512
10a7d0a0340ba4865253ef0155b6cf9aecbfe902218fdf22aa74042d32f632e57467635d7cb5503d95754f74983a0c96cbbaa8d45922f0f99d5c4564e754f861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ce77531a8400972967d5278e33e0234

SHA1
4d0cc5895a538bbad5d22d382884ad42500d5f3c

SHA256
a2d00ccb7cb2841a3affa00cf7b781b61dc98168974744bb3081a21dfe99b259

SHA512
5518d9f37b0f4ad9f4f233f05ccf8f59d76feaa7c4c1c1726eb7cf4f0515cd7b3d7e97d08434afe0ea0c5b198e579b7f7471f61b2640a7723229ca53b5af0e13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53be8f9373ab9ecf80a281d6dd96dec4

SHA1
9c8ed66182e56988f053faafabc70563ab4c5668

SHA256
8734ce08e5005e9ed4f35b2c05a202a7a1f0de03143cfcf5d3b4e1d95b0b13a4

SHA512
18af044a17af365c5e3e8816c50243ca69b79db5fde70bae34a5a1eeb3d24f813626e31e6e10ffce7bc110f6d2770ef1b2ebf409423d37311745cb52bf6a0e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7076ea03f1598453b5bfd034be2938c9

SHA1
a0e1e3fde6697e692475d6b64e0d308660dd7249

SHA256
eb15e5ae9ce875932e019b5ef68118a3412e25955456d8d7a9e2e13432d24ad5

SHA512
0bd4ebb22e11ceedd38d9849dc107b4211970e459b4b3f2392e1aafd497d58e5c61c54f0a5e11135f8889620b8e7429ff07b704c68fd2a550c85379a2dc65ebb

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Filesize
339KB

MD5
1cab66a5c15f97f040fb23d354d04a9c

SHA1
f0dbebd22b2c7bfedbefa4435b345c58416f9448

SHA256
d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

SHA512
a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3881.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3967.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3884.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39AB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\port.dat

Filesize
4B

MD5
598a90004bace6540f0e2230bdc47c09

SHA1
301560ebe21439685b64e4381373ef65741df19b

SHA256
00476816e43cf2efffdabdda7f55c5203bc9e28382c551f83931de02fd364a25

SHA512
e583a61b147e2d349d11ab07f097b7c46605c162a869ad2488ea634d2e43ba1ad732d3a457b0390b3df04c95fb3af75a4e97974e22913080edae1857f1f6ceb3

Download Submit
memory/488-506-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/488-576-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/488-575-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

Filesize
9.9MB

Download
memory/488-505-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-9-0x0000000000E70000-0x0000000000ECC000-memory.dmp

Filesize
368KB

Download
memory/2636-11-0x000000001B350000-0x000000001B3D0000-memory.dmp

Filesize
512KB

Download
memory/2636-574-0x000000001B350000-0x000000001B3D0000-memory.dmp

Filesize
512KB

Download
memory/2636-573-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

Filesize
9.9MB

Download
memory/2636-10-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-2-0x000000001AC00000-0x000000001AC80000-memory.dmp

Filesize
512KB

Download
memory/2972-0-0x00000000000C0000-0x000000000011C000-memory.dmp

Filesize
368KB

Download
memory/2972-1-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2972-5-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads