Analysis Overview
SHA256
a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647
Threat Level: Known bad
The file 369204590CE91E77109E21A298753522.exe was found to be: Known bad.
Malicious Activity Summary
Detect Gurcu Stealer V3 payload
Gurcu family
Gurcu, WhiteSnake
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Runs ping.exe
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-08 09:46
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gurcu family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-08 09:46
Reported
2023-09-08 09:48
Platform
win7-20230831-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe
"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2932 -s 3060
C:\Windows\system32\taskeng.exe
taskeng.exe {5D8EB511-77CD-44A5-9645-71388058095C} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2928 -s 3136
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | archive.torproject.org | udp |
| DE | 159.69.63.226:443 | archive.torproject.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| DE | 159.69.63.226:443 | archive.torproject.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2056-0-0x0000000001190000-0x00000000011B4000-memory.dmp
memory/2056-1-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp
memory/2056-2-0x000000001ACE0000-0x000000001AD60000-memory.dmp
memory/2056-5-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
| MD5 | 369204590ce91e77109e21a298753522 |
| SHA1 | e981f0c86c42e9e8fcbc7dcff0e05c35887a3869 |
| SHA256 | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647 |
| SHA512 | bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32 |
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
| MD5 | 369204590ce91e77109e21a298753522 |
| SHA1 | e981f0c86c42e9e8fcbc7dcff0e05c35887a3869 |
| SHA256 | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647 |
| SHA512 | bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32 |
memory/2932-9-0x0000000001300000-0x0000000001324000-memory.dmp
memory/2932-10-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp
memory/2932-11-0x000000001B2F0000-0x000000001B370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab53ED.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5509.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76f00ac285f258782317be0e8d041c84 |
| SHA1 | cb6eac17017671666baa6e8f5f79d8256b666c69 |
| SHA256 | 2c761b18173d939b777dc7b65768bc14241269e2c64c91aeec418030edc99c1e |
| SHA512 | b298c1b933b1d202fa56297fa3bd9085f24701e9e5a2270ee48ecc1729ed94225293cc39e631f53a4af375c0e8102ccf2bf19ebdbd33a1906abe0dcf74d37c7e |
memory/2932-86-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
| MD5 | 369204590ce91e77109e21a298753522 |
| SHA1 | e981f0c86c42e9e8fcbc7dcff0e05c35887a3869 |
| SHA256 | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647 |
| SHA512 | bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32 |
C:\Users\Admin\AppData\Local\84tnjh4449\port.dat
| MD5 | 33b9c7c18ec3acc3747c41e70e9bb3d6 |
| SHA1 | fce7b95fb26969af8afd58102677dd04da9a9f09 |
| SHA256 | a818957b3a1f9857b721ff8ff9127e971302607b483b24a8d7b82ca8c2edff35 |
| SHA512 | dc242acec23a862f7672d0637926897e19d108ce568e7e0b2effbb4baa5a611f9c89e2386c7d5913c8f876fc60266846c2d6c1d98d9cf50738d013fb49d1b6df |
memory/2928-89-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp
memory/2928-90-0x000000001B1D0000-0x000000001B250000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2da9236aae5ad538a5f0338bdaf76bc |
| SHA1 | 48bbae732d72524a287a93350c07525c1c534966 |
| SHA256 | 04ce788de210bc919c18fbdbb12dccd9624c5240e3a898b6f0d16aca4e1ffb5c |
| SHA512 | 97cbd8fcb1a2dd70dc557f047d9e299e508c9f490e060bcf1fd3a2397cc2b850ae8a3a7184278db087468dbd371b342412829e55d19e88c27aa15b95339aa455 |
C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
| MD5 | 1d2c0986ba3c3af924ad4b8776a45190 |
| SHA1 | e4199810598c592fb4304eb37cf90d2ce2065a11 |
| SHA256 | 8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2 |
| SHA512 | 275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524 |
memory/2928-111-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-08 09:46
Reported
2023-09-08 09:48
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Detect Gurcu Stealer V3 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe
"C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
"C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
C:\Windows\System32\tar.exe
"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp" -C "C:\Users\Admin\AppData\Local\84tnjh4449"
C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
"C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | archive.torproject.org | udp |
| DE | 159.69.63.226:443 | archive.torproject.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 226.63.69.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| DE | 5.45.102.119:9100 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| DE | 188.68.40.46:9100 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:51387 | tcp | |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| BR | 191.252.111.55:443 | tcp | |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/896-0-0x000002363AEC0000-0x000002363AEE4000-memory.dmp
memory/896-4-0x00007FF920C60000-0x00007FF921721000-memory.dmp
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
| MD5 | 369204590ce91e77109e21a298753522 |
| SHA1 | e981f0c86c42e9e8fcbc7dcff0e05c35887a3869 |
| SHA256 | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647 |
| SHA512 | bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\369204590CE91E77109E21A298753522.exe.log
| MD5 | 3308a84a40841fab7dfec198b3c31af7 |
| SHA1 | 4e7ab6336c0538be5dd7da529c0265b3b6523083 |
| SHA256 | 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e |
| SHA512 | 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198 |
C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
| MD5 | 369204590ce91e77109e21a298753522 |
| SHA1 | e981f0c86c42e9e8fcbc7dcff0e05c35887a3869 |
| SHA256 | a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647 |
| SHA512 | bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32 |
memory/2864-9-0x00007FF91FB10000-0x00007FF9205D1000-memory.dmp
memory/2864-10-0x0000016029410000-0x0000016029420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp
| MD5 | 89d2d5811c1aff539bb355f15f3ddad0 |
| SHA1 | 5bb3577c25b6d323d927200c48cd184a3e27c873 |
| SHA256 | b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12 |
| SHA512 | 39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289 |
C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
C:\Users\Admin\AppData\Local\84tnjh4449\tor\tor.exe
| MD5 | 88590909765350c0d70c6c34b1f31dd2 |
| SHA1 | 129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7 |
| SHA256 | 46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82 |
| SHA512 | a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192 |
C:\Users\Admin\AppData\Local\84tnjh4449\torrc.txt
| MD5 | d6a66200b5601d00eec6178552031d19 |
| SHA1 | 3538d7d610299ba3b7730bc946d26e63195b3790 |
| SHA256 | 7e508deb112f877c9ec23a6816bd3461b82537bf87ddf1bcd71ce5661b2869ce |
| SHA512 | e70ffa19fc3e4061c21b2a3d82292598d87878092fb3d0f3362f5ecfeada169a585acdea00ab0ba0ccb3bb6314323040ddd515537b0a5f35e5570f1719eebc48 |
memory/896-37-0x00007FF920C60000-0x00007FF921721000-memory.dmp
C:\Users\Admin\AppData\Local\84tnjh4449\host\hostname
| MD5 | 381c6897bd6379528e8b5669c92f2dac |
| SHA1 | 9ad21365ba61bde0eba634616b5f0122c949fb18 |
| SHA256 | 6e1397ecd92d5c99739e7317e55f2825537fe267333c48150ab041d5b217e290 |
| SHA512 | 16ce8ee97726a5661ceff38c9cf275660e6b0678b02b84f161c001b27dcb18be5d666d1a280db4aa610e26bc32c4f133cb0f1c1df7be94f390816876882b8f19 |
memory/2864-40-0x00007FF91FB10000-0x00007FF9205D1000-memory.dmp
memory/2864-41-0x0000016029410000-0x0000016029420000-memory.dmp