gurcu | d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

Resubmissions

10-04-2024 02:38

240410-c4pceacb24 10

10-04-2024 02:37

10-04-2024 02:37

10-04-2024 02:37

14-10-2023 01:31

Analysis

max time kernel
593s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Size

339KB
MD5

1cab66a5c15f97f040fb23d354d04a9c
SHA1

f0dbebd22b2c7bfedbefa4435b345c58416f9448
SHA256

d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f
SHA512

a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab
SSDEEP

3072:gdrpN/JlLKd5hkad0lk0vGJGMlngDBXrkhamyeFykt9sxc8eTRLUvenjLM/zNlgl:0UGPUvva+lxXY6uXAJMI9bAV0D

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Executes dropped EXE 22 IoCs

pid	Process
2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1552	tor.exe
1068	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
5040	tor.exe
3376	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4604	tor.exe
3308	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3984	tor.exe
4788	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4328	tor.exe
5044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3088	tor.exe
5064	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
5020	tor.exe
672	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1464	tor.exe
1184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3544	tor.exe
628	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
4364	tor.exe
4936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
3276	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
95	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2368	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2392	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1068	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3376	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	3308	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4788	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	5044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	5064	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	672	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	1184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	628	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
Token: SeDebugPrivilege	4936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4480	5008	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	85
PID 5008 wrote to memory of 4480	5008	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	85
PID 4480 wrote to memory of 1144	4480	cmd.exe	87
PID 4480 wrote to memory of 1144	4480	cmd.exe	87
PID 4480 wrote to memory of 2392	4480	cmd.exe	88
PID 4480 wrote to memory of 2392	4480	cmd.exe	88
PID 4480 wrote to memory of 2368	4480	cmd.exe	94
PID 4480 wrote to memory of 2368	4480	cmd.exe	94
PID 4480 wrote to memory of 2244	4480	cmd.exe	95
PID 4480 wrote to memory of 2244	4480	cmd.exe	95
PID 2244 wrote to memory of 2520	2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	99
PID 2244 wrote to memory of 2520	2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	99
PID 2244 wrote to memory of 1552	2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	101
PID 2244 wrote to memory of 1552	2244	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	101
PID 1068 wrote to memory of 5040	1068	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	107
PID 1068 wrote to memory of 5040	1068	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	107
PID 3376 wrote to memory of 4604	3376	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	113
PID 3376 wrote to memory of 4604	3376	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	113
PID 3308 wrote to memory of 3984	3308	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	118
PID 3308 wrote to memory of 3984	3308	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	118
PID 4788 wrote to memory of 4328	4788	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	123
PID 4788 wrote to memory of 4328	4788	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	123
PID 5044 wrote to memory of 3088	5044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	128
PID 5044 wrote to memory of 3088	5044	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	128
PID 5064 wrote to memory of 5020	5064	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	133
PID 5064 wrote to memory of 5020	5064	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	133
PID 672 wrote to memory of 1464	672	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	138
PID 672 wrote to memory of 1464	672	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	138
PID 1184 wrote to memory of 3544	1184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	143
PID 1184 wrote to memory of 3544	1184	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	143
PID 628 wrote to memory of 4364	628	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	148
PID 628 wrote to memory of 4364	628	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	148
PID 4936 wrote to memory of 3276	4936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	153
PID 4936 wrote to memory of 3276	4936	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
"C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1144
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2392
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "k2fef4820980d3c2c1f2cce2f95e94f5e1c18" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2368
- - C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2244
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp47E6.tmp" -C "C:\Users\Admin\AppData\Local\lcybndk48g"
      4⤵
      PID:2520
  - - C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
      "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:1552

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5040

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4604

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3984

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4328

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3088

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:5020

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:1464

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3544

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:4364

C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe
  "C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\k2fef4820980d3c2c1f2cce2f95e94f5e1c18.exe

Filesize
339KB

MD5
1cab66a5c15f97f040fb23d354d04a9c

SHA1
f0dbebd22b2c7bfedbefa4435b345c58416f9448

SHA256
d71329c78c704ee9cc7133761b5e738a315e7eb784e348d7743a8a7366724e9f

SHA512
a5508a75a0a7c747cc50fe8284b9097e1cb9ae83bd7e80553ffa875a6d07d6eec7fc18f66a0a328aa0614c26642d884bfe152e6c09a11eeb0d64f6be66064eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47E6.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
8155dd4a16697830a63d507d2666b2a9

SHA1
e07a54b15c905cd1d9d41db3ccde3bade36bcdb4

SHA256
6b4f443629c32b632d8ad7bcb17d84da1e4eaec556dccdf98c5e9051cb404fed

SHA512
0cb6c3fa12cbe7f8e63c5c73c0665fc2593109801ba318c582c4bd1c14dfd27fff3252c22b9078040e743ec788ad9534856c72ca5e38d992d9cb5aeacf819e6f

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\data\cached-microdescs.new

Filesize
6.5MB

MD5
93221ae3cb05048800953f3731837c77

SHA1
e56f34c44c0130019bb1a02c0edc9bb0c83370b8

SHA256
99a6aaf5c26bf4ad860f7443373d7a903cd8db6d8fee4d87197609c9b9b178ca

SHA512
393834126d5440acc96787baf1b1c4752868b333eebdab3f932946f1784934eaf8cbb30230a75836c3e35aaf2505d3c6ee3ad6226fb7ae5c9e05891b94fabac5

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\host\hostname

Filesize
64B

MD5
07144fb14cd9b3e6b14618dbba76c052

SHA1
e1201a925176243f486f08cc2a3942c0e77c2b15

SHA256
3693573af9ab6274bb386cd2e823262d1f6b9f6242b47b9f9d638363ba28ce2c

SHA512
287d43c196ea0df7112acd6516fb1c09229ee1257246deecd0284b1915f79ccb0ed1e990b0cc5866e74d957b4ccf052bc349004af939132adbf604a04d70e9ff

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\port.dat

Filesize
4B

MD5
457ded6f20b28feb21b9bca73c498671

SHA1
ea6190388589e118da000561d056bbecf8142f4c

SHA256
c5e0562a087a92f624baa0dc01f1dbc0bf906bc9e1355cb9adbe8cb5faa7f23f

SHA512
fb46c803c939c8f846a1728b1e4f95843700bbe36c31b63c78744d3ef2512ef7ee28778e1c40b0443821c58517e34d2f71ae6dd69f697f81c81196f93f27aa9e

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\lcybndk48g\torrc.txt

Filesize
218B

MD5
9d6fc371827f11e6e570e0be43eaacb3

SHA1
6fefdb720ddecf42e13c63ef79021ab68d84639f

SHA256
ae75037a3dec34424ede7822b40edb48688bc8b66f94e9ad4c71ec07c73d1091

SHA512
b20e1150f9e7a39afffce7fc767657a30c5d027e77e33ef7373ae06e9ea2aeb87d710183c9acfb31381d7e6af941173f340b4e18c3bc933228d08f1d06814f8e

Download Submit
memory/628-159-0x0000025B5B370000-0x0000025B5B380000-memory.dmp

Filesize
64KB

Download
memory/628-161-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/628-158-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/672-140-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/672-137-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/672-138-0x000001FBEA300000-0x000001FBEA310000-memory.dmp

Filesize
64KB

Download
memory/1068-79-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/1068-75-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/1068-76-0x000001C0D2BA0000-0x000001C0D2BB0000-memory.dmp

Filesize
64KB

Download
memory/1184-152-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/1184-146-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/2244-69-0x00000217F86F0000-0x00000217F8700000-memory.dmp

Filesize
64KB

Download
memory/2244-11-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/2244-12-0x00000217F86F0000-0x00000217F8700000-memory.dmp

Filesize
64KB

Download
memory/2244-64-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/3308-98-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/3308-99-0x000002060C550000-0x000002060C560000-memory.dmp

Filesize
64KB

Download
memory/3308-101-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/3376-92-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/3376-89-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/3376-90-0x000001E2A4F80000-0x000001E2A4F90000-memory.dmp

Filesize
64KB

Download
memory/4788-109-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/4788-107-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/4936-173-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/4936-171-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/5008-2-0x000002ADFF560000-0x000002ADFF570000-memory.dmp

Filesize
64KB

Download
memory/5008-0-0x000002ADFCF10000-0x000002ADFCF6C000-memory.dmp

Filesize
368KB

Download
memory/5008-6-0x00007FFE03880000-0x00007FFE04341000-memory.dmp

Filesize
10.8MB

Download
memory/5008-1-0x00007FFE03880000-0x00007FFE04341000-memory.dmp

Filesize
10.8MB

Download
memory/5044-115-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/5044-118-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/5044-116-0x00000210F51C0000-0x00000210F51D0000-memory.dmp

Filesize
64KB

Download
memory/5064-131-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download
memory/5064-129-0x000002AE640F0000-0x000002AE64100000-memory.dmp

Filesize
64KB

Download
memory/5064-128-0x00007FFE031A0000-0x00007FFE03C61000-memory.dmp

Filesize
10.8MB

Download