Overview

overview

10

Static

static

10

f7b02278a2...50.exe

windows7-x64

10

f7b02278a2...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2023 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

  • Size

    490KB

  • MD5

    a338043c6b5260df6b7ce4c4ec3d1b80

  • SHA1

    087a787a34ee05478bfa07b50fd39c8367b0a157

  • SHA256

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

  • SHA512

    c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

  • SSDEEP

    6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf

Score
10/10
gurcucollectionspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4700
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:348
        • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:112

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
      Filesize

      490KB

      MD5

      a338043c6b5260df6b7ce4c4ec3d1b80

      SHA1

      087a787a34ee05478bfa07b50fd39c8367b0a157

      SHA256

      f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

      SHA512

      c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

      Download Submit

    • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
      Filesize

      490KB

      MD5

      a338043c6b5260df6b7ce4c4ec3d1b80

      SHA1

      087a787a34ee05478bfa07b50fd39c8367b0a157

      SHA256

      f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

      SHA512

      c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe.log
      Filesize

      847B

      MD5

      3308a84a40841fab7dfec198b3c31af7

      SHA1

      4e7ab6336c0538be5dd7da529c0265b3b6523083

      SHA256

      169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

      SHA512

      97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

      Download Submit

    • memory/112-143-0x000001E96D630000-0x000001E96D640000-memory.dmp

      Filesize

      64KB

      Download

    • memory/372-133-0x000002C82CFB0000-0x000002C82D030000-memory.dmp

      Filesize

      512KB

      Download

    • memory/372-134-0x000002C847710000-0x000002C847720000-memory.dmp

      Filesize

      64KB

      Download