Overview

overview

10

Static

static

10

D5f0a5d17c...76.exe

windows7-x64

10

D5f0a5d17c...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2023 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D5f0a5d17c7420fe49da676.exe

  • Size

    250KB

  • MD5

    24a8408510d9b173b9dc078574261d28

  • SHA1

    2ecfc788687aadbd9cc42ea311210f7cde5fa064

  • SHA256

    67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

  • SHA512

    de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

  • SSDEEP

    6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 3 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe
    "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4676
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3660
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:3384
        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2928
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp" -C "C:\Users\Admin\AppData\Local\6rfb5r0uff"
            4⤵
              PID:1584
            • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
              "C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:1312

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\data\cached-microdesc-consensus.tmp
        Filesize

        2.7MB

        MD5

        8f4baf1bd0a79cd74deae40a54208173

        SHA1

        4a3d378b958e3e7ab633f46bb97232813ad5e0ed

        SHA256

        b28e8d51120a7148ed0656c141667c5f9eff38f17288795a10ccf09b3edbc809

        SHA512

        fa37e67a2c66df6bd3d29599da2052bac69c9d27111e8055827bbb115204c50486b040d9709f45ffa3e64c0d449f52a16a57938624ca7677e3cbac3c8e06be8a

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\data\cached-microdescs.new
        Filesize

        5.1MB

        MD5

        ad89ae35c19a209331f23d97766e36bf

        SHA1

        bb518b03d04149f9245f6a36679e0c7d0f70e341

        SHA256

        a11536ca31b12bda72e05a1caa1b65074ff3e5e3cfea491f05c48f0b368c8103

        SHA512

        dccae9396b1addd29b5d8001dc439f2295054fe3ddc54361d25ae0defc6a4503db9f28a25b162e6630f1e3da0b145956150480a04a4858c7ba8382ef737b5206

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\host\hostname
        Filesize

        64B

        MD5

        776420d55191aa2f9671f422d0a9b618

        SHA1

        5bf9748fa31e3f1094d5569d62b3c2535e0388c1

        SHA256

        558b52222cb5441c37f5dd0d0cf5a525336e6fcc81bf14481b2c2041d4b4b845

        SHA512

        9dea846289914870e705b9631b2ec164e984f8d597e3411d632c0f625d7bf19ea8cb3cdb53880c4864f7c1038beecda0df41b7f751cc94504022061b7ea9338d

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\6rfb5r0uff\torrc.txt
        Filesize

        218B

        MD5

        a1423896d1e53a4d60a2872773d9c589

        SHA1

        e0f70ed4e6d93c571eda9ed8e1204837311b3747

        SHA256

        14554a90c5f3ddaf04003f15a28b03c6480917d467a1b12f0402a244b3c0b71e

        SHA512

        fae2e598b4798524ec992bb5d642805de3e4050f61657426c3f212bfd5bc143f3ef7f7419deb58876e5525291dcee022d5b45e9880d534d21065257f1d5c6b50

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        Filesize

        250KB

        MD5

        24a8408510d9b173b9dc078574261d28

        SHA1

        2ecfc788687aadbd9cc42ea311210f7cde5fa064

        SHA256

        67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

        SHA512

        de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

        Download Submit

      • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
        Filesize

        250KB

        MD5

        24a8408510d9b173b9dc078574261d28

        SHA1

        2ecfc788687aadbd9cc42ea311210f7cde5fa064

        SHA256

        67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

        SHA512

        de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D5f0a5d17c7420fe49da676.exe.log
        Filesize

        1KB

        MD5

        fc1be6f3f52d5c841af91f8fc3f790cb

        SHA1

        ac79b4229e0a0ce378ae22fc6104748c5f234511

        SHA256

        6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910

        SHA512

        2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp74E2.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • memory/2928-11-0x00007FF821C10000-0x00007FF8226D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2928-12-0x00000197A91F0000-0x00000197A9200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2928-45-0x00007FF821C10000-0x00007FF8226D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2928-50-0x00000197A91F0000-0x00000197A9200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-0-0x000001F251D50000-0x000001F251D94000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4228-6-0x00007FF822900000-0x00007FF8233C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4228-2-0x000001F252190000-0x000001F2521A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4228-1-0x00007FF822900000-0x00007FF8233C1000-memory.dmp

        Filesize

        10.8MB

        Download