gurcu | c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9

Resubmissions

10/04/2024, 02:28

240410-cyaxtsca43 10

10/04/2024, 02:28

10/04/2024, 02:28

10/04/2024, 02:28

14/10/2023, 01:16

Analysis

max time kernel
1556s
max time network
1560s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

m1f1f3a069223072f8d6802a079235d.exe
Size

306KB
MD5

4b36dcaa94c3eca48a6292bd670ffe79
SHA1

705484e61ac39ba02cc80903be0da6ce74333334
SHA256

c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9
SHA512

cf07d7f80264554eb3b945421ca41db38ff79707775d355d478c09f4b64d14f523339295aa4bc9b79c0dbb004e6756585bcf85edc8cbc2d16f7f0481be93513a
SSDEEP

3072:71E/yXS0m2pOVLVewP2D/kIyC+mvXi1QJIkjXAToknBq9tT/8RJ6W3t3dpdQGqKI:7E2mDMtqa5EOTeKXAllKD9bmTneefA

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6209822134:AAHQxD-CI1YDVcNbXijXHlonsEUgv3dfYtg/sendMessage?chat_id=-1001529292045

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	m1f1f3a069223072f8d6802a079235d.exe
1916	m1f1f3a069223072f8d6802a079235d.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com
49	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2484	schtasks.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	m1f1f3a069223072f8d6802a079235d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	m1f1f3a069223072f8d6802a079235d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	m1f1f3a069223072f8d6802a079235d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	m1f1f3a069223072f8d6802a079235d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	m1f1f3a069223072f8d6802a079235d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	m1f1f3a069223072f8d6802a079235d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	m1f1f3a069223072f8d6802a079235d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	m1f1f3a069223072f8d6802a079235d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2580	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	m1f1f3a069223072f8d6802a079235d.exe
Token: SeDebugPrivilege	2356	m1f1f3a069223072f8d6802a079235d.exe
Token: SeDebugPrivilege	1916	m1f1f3a069223072f8d6802a079235d.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2916	1664	m1f1f3a069223072f8d6802a079235d.exe	28
PID 1664 wrote to memory of 2916	1664	m1f1f3a069223072f8d6802a079235d.exe	28
PID 1664 wrote to memory of 2916	1664	m1f1f3a069223072f8d6802a079235d.exe	28
PID 2916 wrote to memory of 2556	2916	cmd.exe	30
PID 2916 wrote to memory of 2556	2916	cmd.exe	30
PID 2916 wrote to memory of 2556	2916	cmd.exe	30
PID 2916 wrote to memory of 2580	2916	cmd.exe	31
PID 2916 wrote to memory of 2580	2916	cmd.exe	31
PID 2916 wrote to memory of 2580	2916	cmd.exe	31
PID 2916 wrote to memory of 2484	2916	cmd.exe	32
PID 2916 wrote to memory of 2484	2916	cmd.exe	32
PID 2916 wrote to memory of 2484	2916	cmd.exe	32
PID 2916 wrote to memory of 2356	2916	cmd.exe	33
PID 2916 wrote to memory of 2356	2916	cmd.exe	33
PID 2916 wrote to memory of 2356	2916	cmd.exe	33
PID 2356 wrote to memory of 1808	2356	m1f1f3a069223072f8d6802a079235d.exe	35
PID 2356 wrote to memory of 1808	2356	m1f1f3a069223072f8d6802a079235d.exe	35
PID 2356 wrote to memory of 1808	2356	m1f1f3a069223072f8d6802a079235d.exe	35
PID 1092 wrote to memory of 1916	1092	taskeng.exe	39
PID 1092 wrote to memory of 1916	1092	taskeng.exe	39
PID 1092 wrote to memory of 1916	1092	taskeng.exe	39
PID 1916 wrote to memory of 2204	1916	m1f1f3a069223072f8d6802a079235d.exe	40
PID 1916 wrote to memory of 2204	1916	m1f1f3a069223072f8d6802a079235d.exe	40
PID 1916 wrote to memory of 2204	1916	m1f1f3a069223072f8d6802a079235d.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	m1f1f3a069223072f8d6802a079235d.exe

C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe
"C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "m1f1f3a069223072f8d6802a079235d" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\m1f1f3a069223072f8d6802a079235d.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2556
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2580
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "m1f1f3a069223072f8d6802a079235d" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2484
- - C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
    "C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2356 -s 1972
      4⤵
      PID:1808

C:\Windows\system32\taskeng.exe
taskeng.exe {E5F4B081-06E1-44E2-9573-EA9A33985ED0} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
  C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1916
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1916 -s 1232
    3⤵
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc1ebc3b26c9d13f366155e6f18f77ba

SHA1
b7f5e6c0a79ffa5294719eae426a8655223b9333

SHA256
9cb30afda0b892738fb457f3738a448d938ac5890389693c898f9a48db6a81fb

SHA512
4bb776bf981a8149f7857af18b5dd7be6fbaf7375332e3a092d858b07dcfda43a58ac15c599dcbd29ebb6de0e976d8c0ba51bc372e318177df63310d137948b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59462e718eb3067849209f958225352d

SHA1
4eba52e3d6120b1b95b08e2691589d2c87ba4599

SHA256
5eb5a1713417e9beaf224fdbeb7dc5024a63ed0f223e4a160e15e8a1bcbd762e

SHA512
e5f5362f4ce28903ca269ed971c897d48ca5b60e7f55d97247e3d5ad457ffc613c691b668e5422f43eab27a8b502c0ac54c1063a944b007751b71ff558f48aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
734f0f2e1cc739fc9612f01090c2c925

SHA1
b28248aed83faf3e6824d91e29d59f64359ac3bd

SHA256
283d19820422b5a96201e2a40faeb161ec7e614db9277b97825fe37443fb6b75

SHA512
4d7403e1d133ef1d908f8f354d3acee6054acf1f7efbc31c22f249908c54009117a50177c498ba0e9257f447dc9829560e27f256660e958c1d1b0468848b413e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e83bf30cf289032ef7c0decbd191e3a5

SHA1
ae5bf69ab0d7ea827f9a42b544e227cd91e7cfda

SHA256
1711f2e48e8d38b23548823d86fa73efa8e9a9ebf7d404c0f950323b88b3c198

SHA512
de02503917e01161dd4edc2b6d8850c43fad930c0b6bdcff8643041c6f237c877e76bf1c66ad541e38dad534a8b3b9ceed503839b83c523f9a810cd7c699d416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7536b1856873608c87ca81871f462d7

SHA1
bdc30ec469af7724060f71d4616f6eae73f61918

SHA256
67fd762e949d0e0d596762b4e268382bd5dbe4aa464051c5180790ee2353fb87

SHA512
6cf305ae165af5792da1561eb33f980aad077abb8af91c4ee8e589e279e33271de3b3ee6adab4aba38d94e9e959e2eaa33e87e5d58f347b5afb6ebd03a524a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6abbe0d5ac6d8fff9095cb766194c8bb

SHA1
5a67816deaaa40f6edd81491a82b005c2d1e1d7b

SHA256
fcee44dfcc90ab2899e1e39d9dd42e6be78f1b6aa2c09b99cc3bfa54a49da255

SHA512
bb2fcc751e600a644dc66f773dc5d256c5beb765df99f5244c91f3509981be0c4ad7af10e3f7f81697753fda02e19a6bdb23a43cab4413a105598d039c5a6c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d861e9ebdcf13c303742924973c2275

SHA1
13bdd042f95b0edbeba84c89ce5b4aced1734909

SHA256
705f2044da665f40aa398ec744af8e284eb67f2e11caccf8e45d54a3fc6a0c59

SHA512
4659488a25255935f3fdfcedc7162771c54f4abff879753b0c22c3adb1a61173eec3609d78cf24b7895791fdadd779379d3ec966e8dcf27ac9b27eb48242a6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6cd05b7432bceb4ac4ac4eb24e7aafbc

SHA1
a0df99a2bdabdabab2c681b83b24f4def721157e

SHA256
e3a1b08b29e1f57a399014830ec80c7075e239909b00593eb8a90cdc5acc19c4

SHA512
5ae3ea6055f50c42e8f5db04ee054f38fd0b3bf44648bdfb19bdd0ee76e90843103995ac0ddea3928635051a7cda1bfca250efda3980b5ddf8e0f6cf6e13342b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05a498b288f6467a2484d0562007256c

SHA1
1f90c4aba6d4dc188120aa2abe64813c33845ded

SHA256
798a1924a9518ceb386f152a021ad13344111256483ac2ead3e552b4f368df4f

SHA512
9fab009e4f64739406fe6171b495308d94bcac7360b72314dcc452c0400396c09189ad514e62c0be2d88fe0aebcec8ed5a9c6f621677c65b19677f6c96c92ce1

Download Submit
C:\Users\Admin\AppData\Local\TeamViewer\m1f1f3a069223072f8d6802a079235d.exe

Filesize
306KB

MD5
4b36dcaa94c3eca48a6292bd670ffe79

SHA1
705484e61ac39ba02cc80903be0da6ce74333334

SHA256
c2e57e9b6e52a5429ae7a7bd36c57f63589d78fbf0ffe5760ada4a67b9fadec9

SHA512
cf07d7f80264554eb3b945421ca41db38ff79707775d355d478c09f4b64d14f523339295aa4bc9b79c0dbb004e6756585bcf85edc8cbc2d16f7f0481be93513a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAF74.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAFD4.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB017.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\d67800nkmj\port.dat

Filesize
4B

MD5
70afbf2259b4449d8ae1429e054df1b1

SHA1
05d9cde9b2a8491cb54a4cd7a400c21432d3a0d0

SHA256
3d19e945ed5a25a399da3036bc862275296544218de8260d47a5ad3d9b853af4

SHA512
913916f9278bd02db42979f4e49271d53302a441678e328c8b7b3b45524dce8bb6f45eb5895ecec3bd87c1bbbe74096db5757f3001a7990ef0799c7b22c40231

Download Submit
memory/1664-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

Filesize
512KB

Download
memory/1664-0-0x0000000001050000-0x00000000010A2000-memory.dmp

Filesize
328KB

Download
memory/1664-1-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1664-5-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-382-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-383-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1916-469-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-470-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2356-379-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-380-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2356-9-0x0000000000390000-0x00000000003E2000-memory.dmp

Filesize
328KB

Download
memory/2356-10-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-11-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads