gurcu | aaa5229f28d23d73480f06b29368808f6d23b7fdaa4c5946250084247cf2192c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2023 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe
Size

324KB
MD5

3a4b332f0b65e0590f1fc1f07a516a59
SHA1

0ec94ea9e4e09abf1de65568b8864d21598cbcae
SHA256

aaa5229f28d23d73480f06b29368808f6d23b7fdaa4c5946250084247cf2192c
SHA512

34214d32b15bdf4ec70cf56876f110bdd36cdcd7e520ad0b9dd8ddbd85515f2baedda269dede378f43293c29efab81aec4f95c851a127fbb406c36796c4361c7
SSDEEP

3072:QdrpN/JxLKd5hkMnSFw73WnRO5UrYKBxwK30MIQbkMl+IOc2MZhUeNMhlB+Fp7vM:5PsGI4pfoN32h6SKrbq9blQPffL

Score

10^/10

gurcu collection spyware stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot6021370805:AAFbCSlFairNgnxSj8mC6Wtf7PW5yGyWmcE/sendMessage?chat_id=6254396725

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe
Key opened	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe
Key opened	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
179	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4664	2180	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe	97
PID 2180 wrote to memory of 4664	2180	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe	97
PID 4664 wrote to memory of 1516	4664	cmd.exe	99
PID 4664 wrote to memory of 1516	4664	cmd.exe	99
PID 4664 wrote to memory of 2560	4664	cmd.exe	100
PID 4664 wrote to memory of 2560	4664	cmd.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe

C:\Users\Admin\AppData\Local\Temp\ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe
"C:\Users\Admin\AppData\Local\Temp\ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\ib0905dda0f2c3e0ed1483d05a9f368aaf094.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1516
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x00000201D85C0000-0x00000201D8618000-memory.dmp

Filesize
352KB

Download
memory/2180-1-0x00007FFDF35A0000-0x00007FFDF4061000-memory.dmp

Filesize
10.8MB

Download
memory/2180-2-0x00000201F2CB0000-0x00000201F2CC0000-memory.dmp

Filesize
64KB

Download
memory/2180-3-0x00007FFDF35A0000-0x00007FFDF4061000-memory.dmp

Filesize
10.8MB

Download
memory/2180-4-0x00000201F2CB0000-0x00000201F2CC0000-memory.dmp

Filesize
64KB

Download
memory/2180-7-0x00007FFDF35A0000-0x00007FFDF4061000-memory.dmp

Filesize
10.8MB

Download