Analysis Overview
SHA256
7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2
Threat Level: Known bad
The file t536f0746f287ffe6c9131c.exe was found to be: Known bad.
Malicious Activity Summary
Gurcu, WhiteSnake
Gurcu family
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-14 02:08
Signatures
Gurcu family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-14 02:08
Reported
2023-10-14 15:14
Platform
win7-20230831-en
Max time kernel
11s
Max time network
19s
Command Line
Signatures
Gurcu, WhiteSnake
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe
"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
"C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"
Network
Files
memory/2300-0-0x0000000000A90000-0x0000000000AF6000-memory.dmp
memory/2300-1-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
memory/2300-2-0x0000000002370000-0x00000000023F0000-memory.dmp
memory/2300-5-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
| MD5 | e4d3a1d9c41d306200aa39ee9f718474 |
| SHA1 | 7af7cd1865189d69c94fdb28d38b090d322fb134 |
| SHA256 | 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2 |
| SHA512 | 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186 |
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
| MD5 | e4d3a1d9c41d306200aa39ee9f718474 |
| SHA1 | 7af7cd1865189d69c94fdb28d38b090d322fb134 |
| SHA256 | 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2 |
| SHA512 | 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186 |
memory/2492-9-0x0000000000CC0000-0x0000000000D26000-memory.dmp
memory/2492-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-14 02:08
Reported
2023-10-14 15:15
Platform
win10v2004-20230915-en
Max time kernel
6s
Max time network
121s
Command Line
Signatures
Gurcu, WhiteSnake
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe
"C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\t536f0746f287ffe6c9131c.exe" &&START "" "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\schtasks.exe
schtasks /create /tn "t536f0746f287ffe6c9131c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
"C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
Files
memory/1748-0-0x0000027B5B2F0000-0x0000027B5B356000-memory.dmp
memory/1748-3-0x00007FFEF8FF0000-0x00007FFEF9AB1000-memory.dmp
memory/1748-4-0x0000027B759F0000-0x0000027B75A00000-memory.dmp
memory/1748-6-0x00007FFEF8FF0000-0x00007FFEF9AB1000-memory.dmp
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
| MD5 | e4d3a1d9c41d306200aa39ee9f718474 |
| SHA1 | 7af7cd1865189d69c94fdb28d38b090d322fb134 |
| SHA256 | 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2 |
| SHA512 | 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186 |
C:\Users\Admin\AppData\Local\TeamViewer\t536f0746f287ffe6c9131c.exe
| MD5 | e4d3a1d9c41d306200aa39ee9f718474 |
| SHA1 | 7af7cd1865189d69c94fdb28d38b090d322fb134 |
| SHA256 | 7e2371898d8c9121075812f5b9a57de66e7a11ac686042ac6bf59c07b2ad51a2 |
| SHA512 | 6fa7a52bedf77f2ff42d4042a6d4381003e63b38038062b89b7a69395db1dd2a44ac449036f901dabf2d1aaffef0e463d7c347f5c360bb72d2cc3f932358d186 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\t536f0746f287ffe6c9131c.exe.log
| MD5 | 3308a84a40841fab7dfec198b3c31af7 |
| SHA1 | 4e7ab6336c0538be5dd7da529c0265b3b6523083 |
| SHA256 | 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e |
| SHA512 | 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198 |
memory/1792-11-0x00007FFEF7B80000-0x00007FFEF8641000-memory.dmp
memory/1792-12-0x0000016A70770000-0x0000016A70780000-memory.dmp