gurcu | c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

Resubmissions

10-04-2024 02:41

240410-c6hmmsfd7z 10

10-04-2024 02:41

10-04-2024 02:41

10-04-2024 02:41

14-10-2023 01:33

Analysis

max time kernel
131s
max time network
294s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x19a4f9f3d16fcc9779ba8ea79bf7.exe
Size

392KB
MD5

2299a17350433284e58bd0fcc10edf41
SHA1

d477f1cd55365db00ca77cc5459afabe1ffc80b3
SHA256

c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d
SHA512

123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1
SSDEEP

6144:5cJGLvLE5hu6Me646G0D1ecme1x9b31v4n:uUvLr6k9b5ecmed1v4

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6193093056:AAHzyNGUGS9aUG6CCx6ENLoXpCFLzEQywIQ/sendMessage?chat_id=1098292643

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2524	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2396	x19a4f9f3d16fcc9779ba8ea79bf7.exe
2364	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com
158	ip-api.com
242	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2612	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2524	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2396	x19a4f9f3d16fcc9779ba8ea79bf7.exe
Token: SeDebugPrivilege	2364	x19a4f9f3d16fcc9779ba8ea79bf7.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2492	1212	x19a4f9f3d16fcc9779ba8ea79bf7.exe	28
PID 1212 wrote to memory of 2492	1212	x19a4f9f3d16fcc9779ba8ea79bf7.exe	28
PID 1212 wrote to memory of 2492	1212	x19a4f9f3d16fcc9779ba8ea79bf7.exe	28
PID 2492 wrote to memory of 2616	2492	cmd.exe	30
PID 2492 wrote to memory of 2616	2492	cmd.exe	30
PID 2492 wrote to memory of 2616	2492	cmd.exe	30
PID 2492 wrote to memory of 2648	2492	cmd.exe	31
PID 2492 wrote to memory of 2648	2492	cmd.exe	31
PID 2492 wrote to memory of 2648	2492	cmd.exe	31
PID 2492 wrote to memory of 2612	2492	cmd.exe	32
PID 2492 wrote to memory of 2612	2492	cmd.exe	32
PID 2492 wrote to memory of 2612	2492	cmd.exe	32
PID 2492 wrote to memory of 2524	2492	cmd.exe	33
PID 2492 wrote to memory of 2524	2492	cmd.exe	33
PID 2492 wrote to memory of 2524	2492	cmd.exe	33
PID 2524 wrote to memory of 2688	2524	x19a4f9f3d16fcc9779ba8ea79bf7.exe	35
PID 2524 wrote to memory of 2688	2524	x19a4f9f3d16fcc9779ba8ea79bf7.exe	35
PID 2524 wrote to memory of 2688	2524	x19a4f9f3d16fcc9779ba8ea79bf7.exe	35
PID 2192 wrote to memory of 2396	2192	taskeng.exe	39
PID 2192 wrote to memory of 2396	2192	taskeng.exe	39
PID 2192 wrote to memory of 2396	2192	taskeng.exe	39
PID 2396 wrote to memory of 2792	2396	x19a4f9f3d16fcc9779ba8ea79bf7.exe	40
PID 2396 wrote to memory of 2792	2396	x19a4f9f3d16fcc9779ba8ea79bf7.exe	40
PID 2396 wrote to memory of 2792	2396	x19a4f9f3d16fcc9779ba8ea79bf7.exe	40
PID 2192 wrote to memory of 2364	2192	taskeng.exe	41
PID 2192 wrote to memory of 2364	2192	taskeng.exe	41
PID 2192 wrote to memory of 2364	2192	taskeng.exe	41
PID 2364 wrote to memory of 2476	2364	x19a4f9f3d16fcc9779ba8ea79bf7.exe	42
PID 2364 wrote to memory of 2476	2364	x19a4f9f3d16fcc9779ba8ea79bf7.exe	42
PID 2364 wrote to memory of 2476	2364	x19a4f9f3d16fcc9779ba8ea79bf7.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	x19a4f9f3d16fcc9779ba8ea79bf7.exe

C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe
"C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\x19a4f9f3d16fcc9779ba8ea79bf7.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2616
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2648
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "x19a4f9f3d16fcc9779ba8ea79bf7" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2612
- - C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2524 -s 4240
      4⤵
      PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {F2A9370B-D957-494D-9321-8FC2852330B7} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
  C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2396 -s 3152
    3⤵
    PID:2792
- C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
  C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2364
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2364 -s 2488
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d34fc8c5edbef61116e0e1bc905ff901

SHA1
3c48d0b3b7fc23e5737f7beca6acc28bb3b38cba

SHA256
be1cbbf77e2d502bc22d34484cb4d19aedee9086faff96d67b2bfee2d404c8fc

SHA512
32b630c6afac918a9d55bf9158a578f8be3f70225e60b449d63e33331b17ee9ad74cf15829dbaa8718a693043e97eb1bacd7936846484030f66a7ac915c0bdea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f333dcc7b6eb097c2527adcfb6084cf

SHA1
75418073d65b659f791e1d4a4888402a8184c0ae

SHA256
e4dffc75645dc08eca618411dacc3c1680c70d9294cad58b24fb02b17967605f

SHA512
e94282a8656ccfae734482b91a75ffed690d8180bc49895d4509138a4c490dd2ee8752b5b3fb4db00833f3091d9fb1f51547ff9ae213601e12d88a0ffc100b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79521d6056ed51b062feb4a9addd547e

SHA1
bb96e8babfbf98fe2e76b8e4f00bd705f4290ac8

SHA256
ee3ff743d8d6ac5df7313e0999cb56348887ea8ad0be60ec6998b4248394bdb1

SHA512
870dc59dd513721880c471430b17ffa07c928eab095e47e145bea80f907d4f58f64beb147b996db32e0ab900cd84135bfd4ef53fe74f4f052876ddd06275d488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d5647ed4170b5ae0b3f8817f0d406b7

SHA1
eb18fd54bcd0afb42a235b4ab4b629707bf17258

SHA256
d1aca5281183e9f33dc731cc0e863981d301ce9796e3d5a542fdb9e6be839ae2

SHA512
502599f2e7aead9621e24ad7e3eea6eb2233d5a3721ffccd0108cac7b078f13a33c1990325ba194a7d6b16f87666ae1b29315e728058374e817da485d9167c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88643b495a1f5781864e7ee1d5b5deed

SHA1
73b19a03f8dfba6ed67d8cfc8c9dd4258e5ff9cb

SHA256
a200384b9b4536efa486161649487650c4eb5c7ac0b204d4ca2f786b157f0e66

SHA512
94b5c6f308d3db623a04013c3f8f793772dcc17b1f47192b94b7e7b6a9576f50b5e7495b956b20b88f8bcd5d461d175338b9498d5135fb61cd92bf234e790057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0be33858404bb817f545f0149a1edd38

SHA1
c1cea9c29de46010debe725ee3f44517bc8c5e51

SHA256
2151c2d8e5694bb49dcfd0defc52f33a92ae2cfd7fe9026ce90b1bccb4d9b0f8

SHA512
2f70902bef51a3955984c0f9c13cf55598451f9c3fef9b41ad4e10bd776b93b1cabfc37f895cbd70bdc76d0de59e9da380491748be2f557ed1b1f1e7f7bd2744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16ba643d0d2adddd7f28ba06ff1337b2

SHA1
52498e57bba791db37bc9ff3627680882ca54d29

SHA256
ad61ba2362cc9537275a3b3a1c30da75e01df3f294e0217b5811877777952fc4

SHA512
9decb8471a0d16b2d11f8ba4b56a5ad13cd812c40a0943511fad7775b7d227999761ae0f245ddf788bda5aaba7c1d2dcfb8fddf4cf4c9a3519ca0a24a912809e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
681a4e3373cdae0fd86bf941e52697cc

SHA1
4b36be3682900f63cd7abd25aebf4eeebfb3d437

SHA256
c9025eb0bef434f6f89a601ff0e79b73976f20cdc00544515e21173b9955c35b

SHA512
abbd89b98574376004ed3e5fe2f381caf30d3c1f86b6033e07f76b0aa52d9a0cf6416d526a0bcacc8a739df0d76a45337738ba12ce9aa8e1194072d2802f0ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a71fb42bb7cc162a5abddb7a060fde26

SHA1
3b098cb7a6b0d39203bfce7137236f9ec99e2473

SHA256
1f8784c9a9994c043f4c5f9fe4937cf9cb55f6b5fc420cca6fc415b483b23177

SHA512
adf6165599d16bdf3f7d5f637de4f45913e5824affd9fa10d4db64a575f2ee792d1a38e3796ab9a08096ad663646ddf74c821b2b11217618201c1b9296552a58

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\x19a4f9f3d16fcc9779ba8ea79bf7.exe

Filesize
392KB

MD5
2299a17350433284e58bd0fcc10edf41

SHA1
d477f1cd55365db00ca77cc5459afabe1ffc80b3

SHA256
c3439dd56bcf3921cdbfcbdff3f928d14ebd632b3411235657bf9f5452c1ab9d

SHA512
123d18cf17b4bb0f0b16414039c2381f77e9f12c96a109d5847c760e4d7fb64f6c592f8f185a4c0375aade6754afd0abd6a196936adac405290f157829ae25a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9215.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9228.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9329.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\xtioxntk7k\port.dat

Filesize
4B

MD5
a3fc981af450752046be179185ebc8b5

SHA1
f587a5d388ad1c52f845194f6fe982b62228d2bb

SHA256
f406f0abab9477c96662b4c3e7e76c845272879df2e7223784d26473da7014df

SHA512
3932ad93bf55cf134b8e43a27a8e0dbc13dfb5a68c9ac7b9840717343864110d2becd02f752d29ac3c8cab680e0a5fa5d8d08a5311d152b51ca5b2510928b6f1

Download Submit
memory/1212-5-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/1212-2-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/1212-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/1212-0-0x00000000010A0000-0x0000000001108000-memory.dmp

Filesize
416KB

Download
memory/2364-423-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2364-424-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2364-404-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2364-403-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-368-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-401-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-369-0x000000001AA30000-0x000000001AAB0000-memory.dmp

Filesize
512KB

Download
memory/2524-366-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-11-0x000000001B170000-0x000000001B1F0000-memory.dmp

Filesize
512KB

Download
memory/2524-10-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-9-0x0000000001060000-0x00000000010C8000-memory.dmp

Filesize
416KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads