Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2023, 09:48 UTC

General

  • Target

    369204590CE91E77109E21A298753522.exe

  • Size

    119KB

  • MD5

    369204590ce91e77109e21a298753522

  • SHA1

    e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

  • SHA256

    a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

  • SHA512

    bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

  • SSDEEP

    3072:P56Q4BB1q/hJcq4YZRKsySYSLLx9yLjj6TG6WVt9bm+EFyW43LORzMJS/3:Fha6BuQdwLKTGLt9bmhD4q1Mc

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 7 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe
    "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\369204590CE91E77109E21A298753522.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2616
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2688
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "369204590CE91E77109E21A298753522" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2596
        • C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2724 -s 2868
            4⤵
            • Program crash
            PID:2268
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {0516550A-1641-4A9B-82AA-D1C8A7E5B693} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:564
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 564 -s 2952
          3⤵
          • Program crash
          PID:2156

    Network

    • flag-us
      DNS
      archive.torproject.org
      369204590CE91E77109E21A298753522.exe
      Remote address:
      8.8.8.8:53
      Request
      archive.torproject.org
      IN A
      Response
      archive.torproject.org
      IN CNAME
      archive-01.torproject.org
      archive-01.torproject.org
      IN A
      159.69.63.226
    • flag-de
      GET
      https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz
      369204590CE91E77109E21A298753522.exe
      Remote address:
      159.69.63.226:443
      Request
      GET /tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz HTTP/1.1
      Host: archive.torproject.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 08 Sep 2023 09:48:41 GMT
      Server: Apache
      X-Content-Type-Options: nosniff
      X-Frame-Options: sameorigin
      X-Xss-Protection: 1
      Referrer-Policy: no-referrer
      Strict-Transport-Security: max-age=15768000; preload
      Onion-Location: http://uy3qxvwzwoeztnellvvhxh7ju7kfvlsauka7avilcjg7domzxptbq7qd.onion/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz
      Last-Modified: Thu, 16 Mar 2023 15:33:36 GMT
      ETag: "d42801-5f7062f2cbbbf"
      Accept-Ranges: bytes
      Content-Length: 13903873
      Cache-Control: max-age=2592000
      Expires: Sun, 08 Oct 2023 09:48:41 GMT
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-gzip
      Content-Language: en
    • flag-us
      DNS
      ip-api.com
      369204590CE91E77109E21A298753522.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/line?fields=query,country
      369204590CE91E77109E21A298753522.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line?fields=query,country HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 08 Sep 2023 09:48:39 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 25
      Access-Control-Allow-Origin: *
      X-Ttl: 22
      X-Rl: 42
    • flag-us
      DNS
      apps.identrust.com
      369204590CE91E77109E21A298753522.exe
      Remote address:
      8.8.8.8:53
      Request
      apps.identrust.com
      IN A
      Response
      apps.identrust.com
      IN CNAME
      identrust.edgesuite.net
      identrust.edgesuite.net
      IN CNAME
      a1952.dscq.akamai.net
      a1952.dscq.akamai.net
      IN A
      2.18.121.68
      a1952.dscq.akamai.net
      IN A
      2.18.121.70
    • flag-us
      GET
      http://apps.identrust.com/roots/dstrootcax3.p7c
      369204590CE91E77109E21A298753522.exe
      Remote address:
      2.18.121.68:80
      Request
      GET /roots/dstrootcax3.p7c HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/6.1
      Host: apps.identrust.com
      Response
      HTTP/1.1 200 OK
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      X-Content-Type-Options: nosniff
      X-Robots-Tag: noindex
      Referrer-Policy: same-origin
      Last-Modified: Mon, 21 Aug 2023 22:08:28 GMT
      ETag: "37d-603761e33cf00"
      Accept-Ranges: bytes
      Content-Length: 893
      X-Content-Type-Options: nosniff
      X-Frame-Options: sameorigin
      Content-Type: application/pkcs7-mime
      Cache-Control: max-age=3600
      Expires: Fri, 08 Sep 2023 10:48:40 GMT
      Date: Fri, 08 Sep 2023 09:48:40 GMT
      Connection: keep-alive
    • flag-us
      GET
      http://ip-api.com/line?fields=query,country
      369204590CE91E77109E21A298753522.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /line?fields=query,country HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 08 Sep 2023 09:49:02 GMT
      Content-Type: text/plain; charset=utf-8
      Content-Length: 25
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • 159.69.63.226:443
      https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz
      tls, http
      369204590CE91E77109E21A298753522.exe
      278.9kB
      14.4MB
      5638
      10342

      HTTP Request

      GET https://archive.torproject.org/tor-package-archive/torbrowser/12.0.4/tor-expert-bundle-12.0.4-windows-x86_64.tar.gz

      HTTP Response

      200
    • 208.95.112.1:80
      http://ip-api.com/line?fields=query,country
      http
      369204590CE91E77109E21A298753522.exe
      315 B
      367 B
      5
      4

      HTTP Request

      GET http://ip-api.com/line?fields=query,country

      HTTP Response

      200
    • 2.18.121.68:80
      http://apps.identrust.com/roots/dstrootcax3.p7c
      http
      369204590CE91E77109E21A298753522.exe
      323 B
      1.6kB
      4
      4

      HTTP Request

      GET http://apps.identrust.com/roots/dstrootcax3.p7c

      HTTP Response

      200
    • 159.69.63.226:443
      archive.torproject.org
      tls
      369204590CE91E77109E21A298753522.exe
      310.1kB
      14.4MB
      5878
      10350
    • 208.95.112.1:80
      http://ip-api.com/line?fields=query,country
      http
      369204590CE91E77109E21A298753522.exe
      315 B
      367 B
      5
      4

      HTTP Request

      GET http://ip-api.com/line?fields=query,country

      HTTP Response

      200
    • 8.8.8.8:53
      archive.torproject.org
      dns
      369204590CE91E77109E21A298753522.exe
      68 B
      109 B
      1
      1

      DNS Request

      archive.torproject.org

      DNS Response

      159.69.63.226

    • 8.8.8.8:53
      ip-api.com
      dns
      369204590CE91E77109E21A298753522.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      apps.identrust.com
      dns
      369204590CE91E77109E21A298753522.exe
      64 B
      165 B
      1
      1

      DNS Request

      apps.identrust.com

      DNS Response

      2.18.121.68
      2.18.121.70

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      e8c2307c84f29f371ed8369fe7a0ebd6

      SHA1

      44f1ff2f7f865a21d4b742a65644ac562a288f01

      SHA256

      4ddd066007e4f287250340425b71ac9ef4c50eb8a222a785429a7b98fd8e6fba

      SHA512

      104851eaf146457546f7494111d9441f0775899f147902f6379b810cc02e6fe08d077646af00dac4fd6309ac70c85b9b50da94c50589c84edfbff5e2a0871a02

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      f03b146b2e78605d53368549e6d94f18

      SHA1

      814f228b5a9880f56dabf2ba5581735aae73b691

      SHA256

      f84ddcac3ba57e6e3fe1cade0bd844ec3511691fab1754067a921ae92c067419

      SHA512

      24c02099beaf7965ed03ddca461cb2739da9cdac31ad4011aea777de5a94c6bbd925cc9cdb03435c3b77190935722647d532b83c43bdaff2d7032f0ac76ca034

    • C:\Users\Admin\AppData\Local\84tnjh4449\port.dat

      Filesize

      4B

      MD5

      baed9f51d412c2514ee46a0942138ad6

      SHA1

      45936e464b0f4fb92fed14504f9c50a909729e99

      SHA256

      07492b151560912565b471452f8baadbf3bc80c73814708053d9e4fb7e6e1401

      SHA512

      32e44fd6b30ffee03bbd7eab1000f2ab43defbef6b74aba10eaf0788000167883cdcd0eaf14e9fe0d52ab160d687199634ea2fe1d807399f3ac9bfe2ae62af23

    • C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

      Filesize

      119KB

      MD5

      369204590ce91e77109e21a298753522

      SHA1

      e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

      SHA256

      a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

      SHA512

      bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

    • C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

      Filesize

      119KB

      MD5

      369204590ce91e77109e21a298753522

      SHA1

      e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

      SHA256

      a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

      SHA512

      bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

    • C:\Users\Admin\AppData\Local\EsetSecurity\369204590CE91E77109E21A298753522.exe

      Filesize

      119KB

      MD5

      369204590ce91e77109e21a298753522

      SHA1

      e981f0c86c42e9e8fcbc7dcff0e05c35887a3869

      SHA256

      a245b51ab711d20b944edca262659dba3a0ee6d1590c8f55a858ce82e2a1c647

      SHA512

      bf4367a692eb1f4c31533ee1391cfc1708c75bf726dd5287ac0fa2e602664fa3a74458ded18c1831db16f0462b202f79b10d0f82f3bcb98423a460002e04cf32

    • C:\Users\Admin\AppData\Local\Temp\CabD27E.tmp

      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    • C:\Users\Admin\AppData\Local\Temp\TarD2C0.tmp

      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

      Filesize

      41B

      MD5

      1dc1f257ec74e0488f5e190eae799941

      SHA1

      93cdcdacd427c6154c12475d5a809495d0d55b3b

      SHA256

      04aa645fad7315470fc6be35f94cf06c65e592f32da763bd140d6bd36d5bc7d3

      SHA512

      5e092057d83adc2299e3553e43cd5191a83969bcb5ed6edf824da9c0d6097d839395119bc4ecb9041c26539e6611c9e31750c3e61f05b67b8a5bc129f6bfbb53

    • memory/564-79-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

      Filesize

      9.9MB

    • memory/564-103-0x000000001B160000-0x000000001B1E0000-memory.dmp

      Filesize

      512KB

    • memory/564-102-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

      Filesize

      9.9MB

    • memory/564-80-0x000000001B160000-0x000000001B1E0000-memory.dmp

      Filesize

      512KB

    • memory/2300-2-0x000000001B050000-0x000000001B0D0000-memory.dmp

      Filesize

      512KB

    • memory/2300-5-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

      Filesize

      9.9MB

    • memory/2300-1-0x0000000000E50000-0x0000000000E74000-memory.dmp

      Filesize

      144KB

    • memory/2300-0-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

      Filesize

      9.9MB

    • memory/2724-77-0x000000001B330000-0x000000001B3B0000-memory.dmp

      Filesize

      512KB

    • memory/2724-76-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

      Filesize

      9.9MB

    • memory/2724-11-0x000000001B330000-0x000000001B3B0000-memory.dmp

      Filesize

      512KB

    • memory/2724-9-0x00000000008D0000-0x00000000008F4000-memory.dmp

      Filesize

      144KB

    • memory/2724-10-0x000007FEF4D50000-0x000007FEF573C000-memory.dmp

      Filesize

      9.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.