Overview

overview

10

Static

static

10

I63f8affb2...ba.exe

windows7-x64

10

I63f8affb2...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2023 05:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    I63f8affb2294c837814c33f5446924ba.exe

  • Size

    89KB

  • MD5

    dfb3936eb972928af9ec106505364786

  • SHA1

    06a05bf8d2675ea58e44d3fdc0d9e610be021ca8

  • SHA256

    2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93

  • SHA512

    e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

  • SSDEEP

    1536:/JVNAuC4/P1xAqm9wRC+IWMVYJGOupb1cus6SQsjhp5cNbMQaZ9bqk4gxmsuZmQ+:fN//HAqm9wRC+IWMVYJGOubXsjL5wvsD

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 3 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe
    "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3420
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1304
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:1988
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4528
        • C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1504
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp" -C "C:\Users\Admin\AppData\Local\jdm9hu6p1h"
            4⤵
              PID:2480
            • C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe
              "C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:2176

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
        Filesize

        89KB

        MD5

        dfb3936eb972928af9ec106505364786

        SHA1

        06a05bf8d2675ea58e44d3fdc0d9e610be021ca8

        SHA256

        2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93

        SHA512

        e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
        Filesize

        89KB

        MD5

        dfb3936eb972928af9ec106505364786

        SHA1

        06a05bf8d2675ea58e44d3fdc0d9e610be021ca8

        SHA256

        2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93

        SHA512

        e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\I63f8affb2294c837814c33f5446924ba.exe.log
        Filesize

        1KB

        MD5

        fc1be6f3f52d5c841af91f8fc3f790cb

        SHA1

        ac79b4229e0a0ce378ae22fc6104748c5f234511

        SHA256

        6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

        SHA512

        2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpFCFD.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\data\cached-microdesc-consensus.tmp
        Filesize

        2.7MB

        MD5

        c8eab448f2d958af2f5b8b13a07b1df5

        SHA1

        be084aed25bc28de101f9a74fdbb1f9fc6293ec6

        SHA256

        89345602270280980ec8c07f08b0feb2499072f102af1a9b7b3f61b10ab0e468

        SHA512

        7dfb251edd5ba0167b29d9a33411e353d5e0d7104eca4a1b7621fe5e3f723d9e9e9391ac1906e582dc254693295231d6c27c678af728873c928da7a5facaac93

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\data\cached-microdescs.new
        Filesize

        6.4MB

        MD5

        ec369b59d6ec153b451a65fc9b12db4e

        SHA1

        d34881f9fde23e7dfc2666ffd1821be729fbbd4e

        SHA256

        f4f9a17e8f0c90864916b51621b27af90654bcac17984eeb757e978b766cacd0

        SHA512

        f578775f0eea2391711c8c98a891079c2396b29300a110e33ffba911d9442e4ba803a283033594b9456e6986c6dd5cd0016e40ce13435cf6730ac2088b7d72f7

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\host\hostname
        Filesize

        64B

        MD5

        540adcf35dea5b5f839e1a076f288be7

        SHA1

        f5eb5e41d942780ef1db4373ab8950b72a3145a9

        SHA256

        3262bbcc065509953da2c1a65b30d045d41686f354c6f6e9b997a0748edfe8b6

        SHA512

        e8c232051eea2d71994cfcfaaa4607c07ea81612f77601ca0fad1e7f122a66e00c1be5c29bae9e0717f688dfbceb59b30cc92b793e49bdae8c453a438864d828

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\jdm9hu6p1h\torrc.txt
        Filesize

        218B

        MD5

        45141efbaeabc9241ff81da062f50ddd

        SHA1

        2c73309a2ab508a83f8d3b905d125cd5d986eb3d

        SHA256

        de6724f5e4037654a7434ed02ccaa77c211a2ab2b2df3e0df1da9e735c9ffbaa

        SHA512

        720f86f62edba43abc996eb1d65c39e56219b49fa55924f7cb1c304836e53a8ea91f9d55ef6d834bd1a34f6b8576a43fd2e916d179d9e5da1d4fc5fbebb1075f

        Download Submit

      • memory/1504-12-0x000001F8B06B0000-0x000001F8B06C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1504-11-0x00007FF850C00000-0x00007FF8516C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1504-45-0x00007FF850C00000-0x00007FF8516C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1504-51-0x000001F8B06B0000-0x000001F8B06C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3104-0-0x0000027783A40000-0x0000027783A5C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3104-6-0x00007FF8514D0000-0x00007FF851F91000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3104-2-0x00000277840D0000-0x00000277840E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3104-1-0x00007FF8514D0000-0x00007FF851F91000-memory.dmp

        Filesize

        10.8MB

        Download