Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6734.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6734.exe

  • Size

    504KB

  • MD5

    ad576a5e9a73e049d4b2fd7005c4790e

  • SHA1

    781c71c7ed316739e7aa6f44072139827eca228c

  • SHA256

    9ea90f0a5b0bfa5de1e5aa7eb43000eae8f1c034e5e0b7c3fa97c27e5bc7a8b5

  • SHA512

    3061d30fe1a3c8201bbd4106913b03ffd2d16122a8a6f04f8d1023e490589b44b862cf98e08ddfe6b44db79cb904c7f513c1659f1553187ece27429d59cc2357

  • SSDEEP

    6144:aym/c4Dyv3TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tPHh1DTbhXBZdt/vZ:eEpmWHgf8Y6/Qp1nLiDKs+pN1UO

Score
10/10
gurcuspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot5805920195:AAHrkiYfOXg55Cncdj5wUj0Ov4rUYjQg7iU/sendMessage?chat_id=5668321496

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6734.exe
    "C:\Users\Admin\AppData\Local\Temp\6734.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "6734" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\6734.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2136
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3704
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "6734" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4732
        • C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1500

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe
      Filesize

      504KB

      MD5

      ad576a5e9a73e049d4b2fd7005c4790e

      SHA1

      781c71c7ed316739e7aa6f44072139827eca228c

      SHA256

      9ea90f0a5b0bfa5de1e5aa7eb43000eae8f1c034e5e0b7c3fa97c27e5bc7a8b5

      SHA512

      3061d30fe1a3c8201bbd4106913b03ffd2d16122a8a6f04f8d1023e490589b44b862cf98e08ddfe6b44db79cb904c7f513c1659f1553187ece27429d59cc2357

      Download Submit

    • C:\Users\Admin\AppData\Local\EsetSecurity\6734.exe
      Filesize

      504KB

      MD5

      ad576a5e9a73e049d4b2fd7005c4790e

      SHA1

      781c71c7ed316739e7aa6f44072139827eca228c

      SHA256

      9ea90f0a5b0bfa5de1e5aa7eb43000eae8f1c034e5e0b7c3fa97c27e5bc7a8b5

      SHA512

      3061d30fe1a3c8201bbd4106913b03ffd2d16122a8a6f04f8d1023e490589b44b862cf98e08ddfe6b44db79cb904c7f513c1659f1553187ece27429d59cc2357

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6734.exe.log
      Filesize

      1KB

      MD5

      fc1be6f3f52d5c841af91f8fc3f790cb

      SHA1

      ac79b4229e0a0ce378ae22fc6104748c5f234511

      SHA256

      6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

      SHA512

      2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

      Download Submit

    • memory/1500-142-0x000001CF77810000-0x000001CF77820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3664-133-0x000002B41FFB0000-0x000002B420032000-memory.dmp

      Filesize

      520KB

      Download

    • memory/3664-136-0x000002B43A710000-0x000002B43A720000-memory.dmp

      Filesize

      64KB

      Download