Overview

overview

10

Static

static

10

SecuriteIn...15.exe

windows7-x64

10

SecuriteIn...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 00:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe

  • Size

    599KB

  • MD5

    fdb8081ac26d8de3f7582b2616bcf3e8

  • SHA1

    c46856c1394a0b36f7826285db0d72ae494f15f0

  • SHA256

    2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

  • SHA512

    0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

  • SSDEEP

    6144:kH5XgP9i7Nss/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccH89bq3vcebsVDsu:8UkRatpvnzZjDv7oj19yTN3vi1

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6237712604:AAESgAGfaQ0EUC8eWgMd7kpAW_FEGRDRfDs/sendMessage?chat_id=880824160

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3612
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2072
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:640
        • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2192
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp9995.tmp" -C "C:\Users\Admin\AppData\Local\x22nso3f7r"
            4⤵
              PID:2124
            • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
              "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:3556
      • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
          "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4572
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2596 -s 1820
          2⤵
          • Program crash
          PID:728
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 408 -p 2596 -ip 2596
        1⤵
          PID:220
        • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
          1⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
            "C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt"
            2⤵
            • Executes dropped EXE
            PID:2292
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2656 -s 2132
            2⤵
            • Program crash
            PID:1712
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 412 -p 2656 -ip 2656
          1⤵
            PID:3492

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
                  Filesize

                  599KB

                  MD5

                  fdb8081ac26d8de3f7582b2616bcf3e8

                  SHA1

                  c46856c1394a0b36f7826285db0d72ae494f15f0

                  SHA256

                  2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

                  SHA512

                  0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

                  Download Submit

                • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
                  Filesize

                  599KB

                  MD5

                  fdb8081ac26d8de3f7582b2616bcf3e8

                  SHA1

                  c46856c1394a0b36f7826285db0d72ae494f15f0

                  SHA256

                  2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

                  SHA512

                  0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

                  Download Submit

                • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
                  Filesize

                  599KB

                  MD5

                  fdb8081ac26d8de3f7582b2616bcf3e8

                  SHA1

                  c46856c1394a0b36f7826285db0d72ae494f15f0

                  SHA256

                  2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

                  SHA512

                  0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

                  Download Submit

                • C:\Users\Admin\AppData\Local\EsetSecurity\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe
                  Filesize

                  599KB

                  MD5

                  fdb8081ac26d8de3f7582b2616bcf3e8

                  SHA1

                  c46856c1394a0b36f7826285db0d72ae494f15f0

                  SHA256

                  2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

                  SHA512

                  0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecuriteInfo.com.Trojan.Mardom.IN.24.4653.16515.exe.log
                  Filesize

                  1KB

                  MD5

                  fc1be6f3f52d5c841af91f8fc3f790cb

                  SHA1

                  ac79b4229e0a0ce378ae22fc6104748c5f234511

                  SHA256

                  6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

                  SHA512

                  2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp9995.tmp
                  Filesize

                  13.3MB

                  MD5

                  89d2d5811c1aff539bb355f15f3ddad0

                  SHA1

                  5bb3577c25b6d323d927200c48cd184a3e27c873

                  SHA256

                  b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

                  SHA512

                  39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdesc-consensus.tmp
                  Filesize

                  2.2MB

                  MD5

                  ce4fa0f353bef1f64329617b23f16904

                  SHA1

                  ccf6c5ed81d805c6aefc001c43a2ce5296be7174

                  SHA256

                  68c8027e08c3e7cee1dbc188cccd2441f6e09c291518c7ccc5482f7d3351749f

                  SHA512

                  38ae436357ba99baeb4cf53c7135bd3c513058c979ab1c4c2a48c7609c6b30ce41fcb348cbb5d1956b14875e66b7cd34981a23019f52c824fc5745cd639a1d90

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\data\cached-microdescs.new
                  Filesize

                  5.1MB

                  MD5

                  197f2c98cc7ada72fc12c2d0c3c3d018

                  SHA1

                  62d316ad4f8a610130cae93dfbe9ddef48773911

                  SHA256

                  69a63ffa0045ba0d1b397a6dffb3f89fd873c3ea66ae4aec7462873d84da23f2

                  SHA512

                  0993f71bb80b3be9ad7c99703375baeb8a6faca0d39b7e9d14b99d0b45f6153d73e85d68e555c85499ab61625cd0cd74a0f2a7ba7b4cf975385df1c4476e6c1a

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\host\hostname
                  Filesize

                  64B

                  MD5

                  b8513825c14744f16e414ba7d9540a5f

                  SHA1

                  45a6536feee4650aaa8c40445555b891ca54119f

                  SHA256

                  2546bbbd86dc912499f7d42d659e6ba9c03f44a6189307d59654725804fca016

                  SHA512

                  e9efadd3a3fc2f198f34dbb79a81cbf26c48de845ff171957a09112aa6972f0dca8ed4e7ae8aac6b8520aec84447fe17c3de9b6e3b93c4b6ba22c4a92c4f14b3

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\port.dat
                  Filesize

                  4B

                  MD5

                  b1790a55a67906c18bd9a046e17c5935

                  SHA1

                  82777aa205b09aa2ae34b25eea56fa7664e4e676

                  SHA256

                  5828f81e4e1a30fca0d699cffebc847c501c93493a513bc0de32c4b646bf69e8

                  SHA512

                  f80ee7f338ce5361319c8df58f2b5124182fb44bea83a1358e0ba8931692d808e812feaab0044f8c21ce6589429ab363b8d61393c974cadae313add10b5d4e1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
                  Filesize

                  7.4MB

                  MD5

                  88590909765350c0d70c6c34b1f31dd2

                  SHA1

                  129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

                  SHA256

                  46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

                  SHA512

                  a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
                  Filesize

                  7.4MB

                  MD5

                  88590909765350c0d70c6c34b1f31dd2

                  SHA1

                  129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

                  SHA256

                  46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

                  SHA512

                  a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
                  Filesize

                  7.4MB

                  MD5

                  88590909765350c0d70c6c34b1f31dd2

                  SHA1

                  129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

                  SHA256

                  46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

                  SHA512

                  a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\tor\tor.exe
                  Filesize

                  7.4MB

                  MD5

                  88590909765350c0d70c6c34b1f31dd2

                  SHA1

                  129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

                  SHA256

                  46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

                  SHA512

                  a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

                  Download Submit

                • C:\Users\Admin\AppData\Local\x22nso3f7r\torrc.txt
                  Filesize

                  218B

                  MD5

                  68fcc6704977c15317ceb51ad5a6ae06

                  SHA1

                  8f9e9988bfccad016f9df2465b1dd81d09f7b657

                  SHA256

                  53be1cd3d6d7af7d3773f6f3116a12942a231f1d0d9cd6ab88f97d6bc5129cb1

                  SHA512

                  efc5aa1ce322fe35b737196bc0f6c7c5aeee27d2be27253e5716cfd28c76b09872e6a7c93c3865146ef063deddcd957a7f1477a68553354b6b2f72dc1f3ffefb

                  Download Submit

                • memory/2192-160-0x0000028D54E50000-0x0000028D54E60000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2192-142-0x0000028D54E50000-0x0000028D54E60000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2596-206-0x000002033B7A0000-0x000002033B7B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2656-217-0x000001A8B5A60000-0x000001A8B5A70000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2804-133-0x000001C8CFDA0000-0x000001C8CFE3A000-memory.dmp

                  Filesize

                  616KB

                  Download

                • memory/2804-134-0x000001C8EA300000-0x000001C8EA310000-memory.dmp

                  Filesize

                  64KB

                  Download