Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 12:57
Behavioral task
behavioral1
Sample
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Resource
win7-20240729-en
General
-
Target
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
-
Size
490KB
-
MD5
a338043c6b5260df6b7ce4c4ec3d1b80
-
SHA1
087a787a34ee05478bfa07b50fd39c8367b0a157
-
SHA256
f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
-
SHA512
c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf
-
SSDEEP
6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850
Signatures
-
Gurcu family
-
A potential corporate email address has been identified in the URL: SjiLM_Admin@YQRLKYON_report.wsr
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe -
Executes dropped EXE 6 IoCs
pid Process 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 2772 tor.exe 5096 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 4380 tor.exe 4116 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 3836 tor.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 63 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1296 cmd.exe 5040 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5040 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4420 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Token: SeDebugPrivilege 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Token: SeDebugPrivilege 5096 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe Token: SeDebugPrivilege 4116 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4420 wrote to memory of 1296 4420 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 82 PID 4420 wrote to memory of 1296 4420 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 82 PID 1296 wrote to memory of 2892 1296 cmd.exe 84 PID 1296 wrote to memory of 2892 1296 cmd.exe 84 PID 1296 wrote to memory of 5040 1296 cmd.exe 85 PID 1296 wrote to memory of 5040 1296 cmd.exe 85 PID 1296 wrote to memory of 2344 1296 cmd.exe 86 PID 1296 wrote to memory of 2344 1296 cmd.exe 86 PID 1296 wrote to memory of 3168 1296 cmd.exe 87 PID 1296 wrote to memory of 3168 1296 cmd.exe 87 PID 3168 wrote to memory of 1136 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 88 PID 3168 wrote to memory of 1136 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 88 PID 3168 wrote to memory of 2772 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 90 PID 3168 wrote to memory of 2772 3168 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 90 PID 5096 wrote to memory of 4380 5096 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 102 PID 5096 wrote to memory of 4380 5096 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 102 PID 4116 wrote to memory of 3836 4116 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 108 PID 4116 wrote to memory of 3836 4116 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2892
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5040
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2344
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3168 -
C:\Windows\System32\tar.exe"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp" -C "C:\Users\Admin\AppData\Local\y5aox5pi99"4⤵PID:1136
-
-
C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe"C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"4⤵
- Executes dropped EXE
PID:2772
-
-
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exeC:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe"C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"2⤵
- Executes dropped EXE
PID:4380
-
-
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exeC:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe"C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"2⤵
- Executes dropped EXE
PID:3836
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
Filesize490KB
MD5a338043c6b5260df6b7ce4c4ec3d1b80
SHA1087a787a34ee05478bfa07b50fd39c8367b0a157
SHA256f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50
SHA512c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe.log
Filesize847B
MD53308a84a40841fab7dfec198b3c31af7
SHA14e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA51297521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198
-
Filesize
13.3MB
MD589d2d5811c1aff539bb355f15f3ddad0
SHA15bb3577c25b6d323d927200c48cd184a3e27c873
SHA256b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA51239e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289
-
Filesize
18KB
MD5faf2a62b3642b5a7c5f543c0702715d8
SHA1e7eff4aac497b942800d2d8453a68330aec88312
SHA2564503ee09b65fb26821a1e2e1009ff9d7fa00f783385266c8d80d17a65c898d2a
SHA5128d640850083b1b3b4c5bf656504981486a47376161d5cedf28f53d58d795b4dd4d44d29f341486eef2740d018b61fecceb864a6a89aede5965453b0f57d779b7
-
Filesize
2.8MB
MD560b015590834133e034982d1b0a50a11
SHA187be108c43f309b8996f79d9f765118c0243df35
SHA25696e7246185578f37210e1cf9b0f08cdb736f9f92db5d7c78d63a55a8e0139edc
SHA5128d38f5199585b2f646e08038534aab372da817ec850d25147269ec8270f62a355a8d35da0d3ee478ca87cb23e97d8f35a3e36d7a39c96fdfb631a3ccaf3b5a25
-
Filesize
11.0MB
MD5e5b659de042a9acac8cf6ba6c2eea762
SHA167ffc0717b30c42fd5945ae2a8d42ef2c13416af
SHA256c1d00df8488487c1261d3a1331dde2d08520a871de0555e7baa8a314cc5c6618
SHA512376852c85a4e0e7fa5c2aa8ff916d52cd3c1653e0e58a8b366c3e5a1d123ecddc15c155e5a28fa9b705159a6204959054b260cbf12c37e107461d561b49e4e6b
-
Filesize
64B
MD549e03e5a5e921944b695526513a8a803
SHA133177a2d68f89c7ba531fb73b3bd02db12e3611c
SHA256947445aadbd931d2c8788ae71104b6247235c1dc45a3ccab858a9ba485bf9587
SHA512c45b37a8dcd8d860bbc2fe8a00f9766eb838b8d2ed2765b2c022229800e9ee6aad4037d7e691052bc551f5497662ae13c18a6593210a0d33199f4fe636c69068
-
Filesize
4B
MD5dff8e9c2ac33381546d96deea9922999
SHA1b7fe6dafb30d4f8a88653272cf36a4d37c328440
SHA25682af498652ef41247a7013552a7ac0538cec5a7232eb17ad11a06f1a20956293
SHA51223a3e487c61fb4bb75209d455bd90fe70cbc2530a1f9c2307e1d58dbdb6a39eeba9c2498f25d3cf02a66c320762f386b50a1fd5c639070fdd30e6b0878c1e9eb
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
218B
MD5f34270a1ba2d6e15a1b0ce0c7e755c34
SHA184b8863606b1cbcd5ddc5aedb902dcaf786c2a00
SHA256b068c70f905fce1bbabd49241a06dae030a99f579637e17f0cd157caa51579c0
SHA512c2b8d9a28b065fc99136fa505d99919167ccefb079bc2fe99ed2f6475bb4d7b38ca060f4db5d289d8368db4fafe5bef7f1b850189fb8f9bc646ed47ccaad28ea