Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 12:01
Behavioral task
behavioral1
Sample
C9495B3A992EA3E2EF2788C7BA7ED840.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
C9495B3A992EA3E2EF2788C7BA7ED840.exe
Resource
win10v2004-20241007-en
General
-
Target
C9495B3A992EA3E2EF2788C7BA7ED840.exe
-
Size
163KB
-
MD5
c9495b3a992ea3e2ef2788c7ba7ed840
-
SHA1
3d2e2ff99cd28f81a906d8d928ad7d42ff5226be
-
SHA256
3398ed7cffcc75371d831fda315805c714268c321c863f60c806ae73cfaae4cd
-
SHA512
a11e2b0424d7342bbddc9dd0541902128238281dd9aa620b81213d937a997f9da1c1d3954a05bd57383eb27cd3270d2a29b40a16893237c435fcfdb6344a1746
-
SSDEEP
3072:amqroacBJ41WGh6ta9Y9bvxWlI9fKp7KdD+QOi:amwoaCE9Y9bvCQfKkO
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7617703274:AAFEXxgPRP1fZGT5UCjcRV4hUZdtNFxyusQ/sendMessage?chat_id=-4568449403
http://209.38.221.184:8080
http://46.235.26.83:8080
http://147.28.185.29:80
http://206.166.251.4:8080
http://51.159.4.50:8080
http://167.235.70.96:8080
http://194.164.198.113:8080
http://132.145.17.167:9090
https://5.196.181.135:443
http://116.202.101.219:8080
https://185.217.98.121:443
http://185.217.98.121:8080
http://159.203.174.113:8090
http://107.161.20.142:8080
https://192.99.196.191:443
http://65.49.205.24:8080
https://154.9.207.142:443
http://67.230.176.97:8080
http://8.222.143.111:8080
http://8.219.110.16:9999
http://41.87.207.180:9090
http://38.207.174.88:8080
http://185.217.98.121:80
http://18.228.80.130:80
http://168.138.211.88:8099
http://129.151.109.160:8080
http://20.78.55.47:8080
http://8.216.92.21:8080
https://138.2.92.67:443
http://38.60.191.38:80
http://101.126.19.171:80
http://47.96.78.224:8080
http://101.43.160.136:8080
Signatures
-
Gurcu family
-
A potential corporate email address has been identified in the URL: 7Dfho_Admin@NNYJZAHP_report.wsr
-
A potential corporate email address has been identified in the URL: G0t0X_Admin@NNYJZAHP_report.wsr
-
A potential corporate email address has been identified in the URL: VHI1G_Admin@NNYJZAHP_report.wsr
-
A potential corporate email address has been identified in the URL: i93nU_Admin@NNYJZAHP_report.wsr
-
A potential corporate email address has been identified in the URL: wCPfr_Admin@NNYJZAHP_report.wsr
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2580 cmd.exe 2616 netsh.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeCreateTokenPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeAssignPrimaryTokenPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeIncreaseQuotaPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeSecurityPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeTakeOwnershipPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeLoadDriverPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeSystemtimePrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeBackupPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeRestorePrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeShutdownPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeSystemEnvironmentPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeUndockPrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: SeManageVolumePrivilege 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: 31 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe Token: 32 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2580 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 31 PID 1488 wrote to memory of 2580 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 31 PID 1488 wrote to memory of 2580 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 31 PID 2580 wrote to memory of 2548 2580 cmd.exe 33 PID 2580 wrote to memory of 2548 2580 cmd.exe 33 PID 2580 wrote to memory of 2548 2580 cmd.exe 33 PID 2580 wrote to memory of 2616 2580 cmd.exe 34 PID 2580 wrote to memory of 2616 2580 cmd.exe 34 PID 2580 wrote to memory of 2616 2580 cmd.exe 34 PID 2580 wrote to memory of 2664 2580 cmd.exe 35 PID 2580 wrote to memory of 2664 2580 cmd.exe 35 PID 2580 wrote to memory of 2664 2580 cmd.exe 35 PID 1488 wrote to memory of 2756 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 36 PID 1488 wrote to memory of 2756 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 36 PID 1488 wrote to memory of 2756 1488 C9495B3A992EA3E2EF2788C7BA7ED840.exe 36 PID 2756 wrote to memory of 2300 2756 cmd.exe 38 PID 2756 wrote to memory of 2300 2756 cmd.exe 38 PID 2756 wrote to memory of 2300 2756 cmd.exe 38 PID 2756 wrote to memory of 1268 2756 cmd.exe 39 PID 2756 wrote to memory of 1268 2756 cmd.exe 39 PID 2756 wrote to memory of 1268 2756 cmd.exe 39 PID 2756 wrote to memory of 2724 2756 cmd.exe 40 PID 2756 wrote to memory of 2724 2756 cmd.exe 40 PID 2756 wrote to memory of 2724 2756 cmd.exe 40 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C9495B3A992EA3E2EF2788C7BA7ED840.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C9495B3A992EA3E2EF2788C7BA7ED840.exe"C:\Users\Admin\AppData\Local\Temp\C9495B3A992EA3E2EF2788C7BA7ED840.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1488 -
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2548
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2616
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2300
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1268
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"3⤵PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1