gurcu | 446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

Resubmissions

10-04-2024 02:13

240410-cnvjgsbh46 10

10-04-2024 02:13

10-04-2024 02:13

10-04-2024 02:13

27-06-2023 15:25

Analysis

max time kernel
838s
max time network
918s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Size

344KB
MD5

aec814bf30dd191b641feef457a718ce
SHA1

96c2bea5b416d10a2dae60acd2b7f9c7cebb8115
SHA256

446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89
SHA512

fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0
SSDEEP

6144:SXRrO+JguvyIs1DkhmgPZw6JXAL5+9bbYZQ4:ir/9m3cYZQ

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6202531839:AAHT41T-v1F7LRPMrYNhW3IEdF7Ab7I7uTM/sendMessage?chat_id=-1001903439899

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
1296	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2608	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
1452	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2592	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Token: SeDebugPrivilege	2608	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
Token: SeDebugPrivilege	1452	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1296	2784	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	28
PID 2784 wrote to memory of 1296	2784	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	28
PID 2784 wrote to memory of 1296	2784	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	28
PID 1296 wrote to memory of 2108	1296	cmd.exe	30
PID 1296 wrote to memory of 2108	1296	cmd.exe	30
PID 1296 wrote to memory of 2108	1296	cmd.exe	30
PID 1296 wrote to memory of 2592	1296	cmd.exe	31
PID 1296 wrote to memory of 2592	1296	cmd.exe	31
PID 1296 wrote to memory of 2592	1296	cmd.exe	31
PID 1296 wrote to memory of 2668	1296	cmd.exe	32
PID 1296 wrote to memory of 2668	1296	cmd.exe	32
PID 1296 wrote to memory of 2668	1296	cmd.exe	32
PID 1296 wrote to memory of 2608	1296	cmd.exe	33
PID 1296 wrote to memory of 2608	1296	cmd.exe	33
PID 1296 wrote to memory of 2608	1296	cmd.exe	33
PID 2608 wrote to memory of 2816	2608	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	35
PID 2608 wrote to memory of 2816	2608	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	35
PID 2608 wrote to memory of 2816	2608	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	35
PID 2640 wrote to memory of 1452	2640	taskeng.exe	37
PID 2640 wrote to memory of 1452	2640	taskeng.exe	37
PID 2640 wrote to memory of 1452	2640	taskeng.exe	37
PID 1452 wrote to memory of 2980	1452	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	38
PID 1452 wrote to memory of 2980	1452	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	38
PID 1452 wrote to memory of 2980	1452	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
"C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2108
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2592
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2668
- - C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
    "C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2608 -s 2404
      4⤵
      PID:2816

C:\Windows\system32\taskeng.exe
taskeng.exe {06628E24-2751-4206-90DF-9ABCBBE3F5C1} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
  C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1452
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1452 -s 2320
    3⤵
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
effcccc4b6592de35815836abafafb5b

SHA1
128988428efa3eb705c735647966c3ec87cbd7ef

SHA256
014a4f1878d2e04987edd80473da2954901710c7cf97d0a743cd955d8903ac43

SHA512
6120014e72ea067e9659fe140b295d950518ccd79efc0fd3ba3124ff136b819e477d2ed7d49a3f914cbda3c940cf6abd9d64e64f2b3e2e6cb37ee96f5b05e148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14464d842b7ba9ff22f71feee1de774e

SHA1
4adb756d29f1b941782534b534603e0b34cbfd7c

SHA256
cb3878f23bf5a380d9f3ec926f5417038bddf4e96d0d0ac359252cdcd1970aca

SHA512
c76b8538f22fe78a664eb4e4d56c66edf3075e48bebc930fba46dd13a9531db3dd1094bc64deb380aa66d732a0303e34612926a542487f49e892fbd11caec74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4cf27385afa5470ae68af2f80ac332d

SHA1
0f539f3b68057aded7049c49898d28aa6a5c48cf

SHA256
7fa7388a13395af378c61161e2545083e91571e5be64ed08d983af2b905ad192

SHA512
afa8c9dcb67a429eb07c4e12c4a3c165a59acfb954aba58c83c2451fabc0cd4d0ebf2146606ff96a86737918285033a74801e4de2b59371379cda628058d4266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d6a3c59459455caf629aa7c7eaf91dc

SHA1
4693a19dcf87324b0dd1571965496a769ed5080c

SHA256
8c60bfa5ca099fb36b1e4e923a911a9681730e09698e29507d71de3bb552c40f

SHA512
cb84b889b8c58fce83474b8c09b104413a0f3a0517a0876f3d1e4976cd19822d52e0b596ae4e17e41be6fdc331b9deb11ec1b12edb92addeda3fd4535f2dd28a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d63d5e75a631bcfe9da73c0c21dfdea

SHA1
330445c8c188b2d61f384d4934fe34a064c4ab36

SHA256
8f76d0b3d6d77f2db3a48b8180519f57f3f58fcb2003172f2f9949619bc66fa6

SHA512
603caed27c96ef8aeaf244be47d7e1ba991bf958389894addfe24081d3e34d880a2872b1a5b11d7d0bb8b90c0379935cd53f9488b1245be5f09c08e7a002a0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
959cd1455e74dc8407a89bc293def89a

SHA1
ecaf668cb8fb95173899b012e59e9db0e6389a27

SHA256
012ac86d572914029357385c19ee30631423e258b0caede9af7f3169e87ec979

SHA512
a582207c743959e82095cc05e8b3cd487d4102a7b204bcfa4e5a310d765747524006d7dc7cb4e1b015103acc61f55268570af9114fa633e3eb46e48043f54513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6811abc87de008f5db6b70e233a3ff5a

SHA1
a9e6adcfac507800e472d2a8169830fb974a7d94

SHA256
480282f1a9929c104090008a8e2d80622436fe774f5143e66b23c06d7460bade

SHA512
d15033f85b649f6bc8795a9b863ece3a91e65a306ba57575e4781acb6c3b0f0a03a8782cb0e032c263652edc1cdf676e392876eb779ce83bcbb5bd2448c6eb7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67b47a6561ea8a71c64f8e57d16a0f3e

SHA1
3c7c55adf593ad787d9da16d75d53fb99abf6055

SHA256
0182b603213fe0c59e0b8ec5c03bf63eebdb95d33eaee1039dc7777accbe38cf

SHA512
7fa95566f3967df6401410a227baae256abfa97040ade1d92c35534ebc72cdd50f54535572556b00f145a25e05bcae597086709594c2c86ac50f8f34d6632d72

Download Submit
C:\Users\Admin\AppData\Local\8lxyt4fm8n\port.dat

Filesize
4B

MD5
b31df16a88ce00fed951f24b46e08649

SHA1
15664c029f5800776b362386d6e8bce48cdc54f7

SHA256
05b68f8f80d45137ec15579cdf91c560b0acaf4ad71a7d5a5352bcee36a3bb81

SHA512
5dc859d4dc09df5f43d86d8ea92e0243405e3e764fb22c673c5ce81b60c16ccacf57c3bf541db0c9271304c4ec765b69dc0ee2b137166e33355872b3dbf743d4

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89.exe

Filesize
344KB

MD5
aec814bf30dd191b641feef457a718ce

SHA1
96c2bea5b416d10a2dae60acd2b7f9c7cebb8115

SHA256
446278b00e672276ebd77b7a20356f9fdad4aeb0add39d714de87f3c6b17af89

SHA512
fdd89bcb64728e88e5b9453f3c93c011fa2f22a5947a3d380ac2768184126c27b0e97556ace1d736cfe4da20281b5c710af78f55460948d5561c979021f5b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab284B.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar289E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1452-388-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/1452-389-0x000000001AB00000-0x000000001AB80000-memory.dmp

Filesize
512KB

Download
memory/1452-459-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/1452-460-0x000000001AB00000-0x000000001AB80000-memory.dmp

Filesize
512KB

Download
memory/2608-10-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-11-0x000000001A930000-0x000000001A9B0000-memory.dmp

Filesize
512KB

Download
memory/2608-9-0x00000000000D0000-0x000000000012C000-memory.dmp

Filesize
368KB

Download
memory/2608-456-0x000007FEF4C70000-0x000007FEF565C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-458-0x000000001A930000-0x000000001A9B0000-memory.dmp

Filesize
512KB

Download
memory/2784-5-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-0-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

Filesize
368KB

Download
memory/2784-2-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/2784-1-0x000007FEF5660000-0x000007FEF604C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads