Malware Analysis Report

2024-10-19 06:43

Sample ID 230913-prw8psed27
Target f21559ac7c67d871d4f05.exe
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

Threat Level: Known bad

The file f21559ac7c67d871d4f05.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Gurcu family

Gurcu, WhiteSnake

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Creates scheduled task(s)

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 12:34

Signatures

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 12:34

Reported

2023-09-13 12:37

Platform

win7-20230831-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 2324 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 2324 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3056 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3056 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3056 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3056 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3056 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3056 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3056 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3056 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3056 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 3056 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 3056 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2796 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 2116 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2116 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 2116 wrote to memory of 836 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2796 -s 3140

C:\Windows\system32\taskeng.exe

taskeng.exe {DD65D386-F9A3-4856-9BDC-D7B1BF9A492F} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 836 -s 2940

Network

Country Destination Domain Proto
US 8.8.8.8:53 archive.torproject.org udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 google.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
NL 142.250.179.142:80 google.com tcp
US 140.82.112.3:80 github.com tcp
US 140.82.112.3:80 github.com tcp
US 8.8.8.8:53 youtube.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.112.3:443 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 140.82.112.3:80 github.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.138:80 apps.identrust.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 openai.com udp
DE 159.69.63.226:443 archive.torproject.org tcp
US 13.107.213.67:80 openai.com tcp
US 140.82.112.3:80 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 13.107.213.67:443 openai.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:80 telegram.org tcp
US 140.82.112.3:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 140.82.112.3:443 github.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 140.82.112.3:443 github.com tcp

Files

memory/2324-0-0x0000000000C70000-0x0000000000CC8000-memory.dmp

memory/2324-1-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

memory/2324-2-0x000000001ABB0000-0x000000001AC30000-memory.dmp

memory/2324-5-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

memory/2796-10-0x0000000000CC0000-0x0000000000D18000-memory.dmp

memory/2796-9-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2796-11-0x000000001B3C0000-0x000000001B440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6941.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar69C1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c64d1a94cdbab4448f29341ac943a1c
SHA1 fc7deeec2c72a644dfef2568beb20ddda596d3e9
SHA256 f4cd0ef6bfeafc0987413647fd84806e41303f48787c4dd2423fbac031256250
SHA512 ecf5abe7046b9eb7e7725e805b5df28675ed0e74444bcca261a7db35f1194773320c1566d7626cc773b5d8c4f5bf46f574ed84dec3ec6e330240b1a88cb27955

memory/2796-121-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

memory/836-123-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/836-124-0x000000001B2A0000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Local\z1jp774dks\port.dat

MD5 e45823afe1e5120cec11fc4c379a0c67
SHA1 58ccaf222dc66b043b280f669a3bf96192483cf1
SHA256 c5d4a63dbef4f919bd9cb1690deb3aa0eca57e71fc9af9570465852e2e91357c
SHA512 2f7a6884e6d7a60080b73960f1f787737cd5c0b90df2f9c80e34d4abe1d91302e0629a8fad0c9bc6d1c45eeee5bd9333196affef6619004b4e4394b09352a4e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9dc9581f5678cc0078351f9eee89409
SHA1 c12774df6a69c56e621d0ec7388716802b3db129
SHA256 587e8a0cc41985b8bfb4213e007394fa40bea89d2d17e97f8f62ef4c79a50935
SHA512 6e7b9562657c6ce89537a93a1e5b1d9bfca73d662baa63a88e33e0c44f632d5792c3f045a483e8cbd9a1ef6daa3efac4b832a95cfb11bcdef1a7c37c0b6cf4da

memory/836-162-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 12:34

Reported

2023-09-13 12:37

Platform

win10v2004-20230831-en

Max time kernel

9s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

Signatures

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

"C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 archive.torproject.org udp
US 140.82.112.3:80 github.com tcp
DE 159.69.63.226:443 archive.torproject.org tcp
US 140.82.112.3:80 github.com tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:80 github.com tcp
US 140.82.112.3:443 github.com tcp
NL 216.58.214.14:80 youtube.com tcp
NL 216.58.214.14:80 youtube.com tcp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 226.63.69.159.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
US 8.8.8.8:53 pornhub.com udp
US 66.254.114.41:80 pornhub.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 66.254.114.41:443 pornhub.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 41.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.pornhub.com udp
US 66.254.114.41:443 www.pornhub.com tcp
NL 154.61.71.13:80 tcp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp

Files

memory/3768-0-0x000002793D8E0000-0x000002793D938000-memory.dmp

memory/3768-1-0x00007FFBEFD20000-0x00007FFBF07E1000-memory.dmp

memory/3768-3-0x0000027958020000-0x0000027958030000-memory.dmp

memory/3768-6-0x00007FFBEFD20000-0x00007FFBF07E1000-memory.dmp

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

MD5 78fd6df30f791c7b5f45dca0b4c952a5
SHA1 d977ca82da0850eb5d4e69c9c657d1a41fb9c44d
SHA256 dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129
SHA512 abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f21559ac7c67d871d4f05.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/2100-11-0x00007FFBEECB0000-0x00007FFBEF771000-memory.dmp

memory/2100-12-0x0000021A737F0000-0x0000021A73800000-memory.dmp