gurcu | 2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93 | Triage

Resubmissions

10-04-2024 02:45

240410-c88xlscb89 10

10-04-2024 02:45

240410-c88a3scb88 10

10-04-2024 02:45

240410-c8631scb86 10

10-04-2024 02:45

240410-c86ggscb85 10

14-10-2023 02:07

231014-cj7cgsba81 10

Analysis

max time kernel
316s
max time network
1608s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-04-2024 02:45

Sharing

Report Analysis Logs

General

Target

I63f8affb2294c837814c33f5446924ba.exe
Size

89KB
MD5

dfb3936eb972928af9ec106505364786
SHA1

06a05bf8d2675ea58e44d3fdc0d9e610be021ca8
SHA256

2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93
SHA512

e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f
SSDEEP

1536:/JVNAuC4/P1xAqm9wRC+IWMVYJGOupb1cus6SQsjhp5cNbMQaZ9bqk4gxmsuZmQ+:fN//HAqm9wRC+IWMVYJGOubXsjL5wvsD

Score

10^/10

gurcu collection spyware stealer

Malware Config

Signatures

Detect Gurcu Stealer V3 payload 2 IoCs

resource	yara_rule
behavioral2/memory/164-0-0x000002142D790000-0x000002142D7AC000-memory.dmp	family_gurcu_v3
behavioral2/files/0x000800000001ac18-8.dat	family_gurcu_v3

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Executes dropped EXE 2 IoCs

pid	Process
3112	I63f8affb2294c837814c33f5446924ba.exe
4920	I63f8affb2294c837814c33f5446924ba.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

Email Collection

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1924	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2988	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3112	I63f8affb2294c837814c33f5446924ba.exe
4920	I63f8affb2294c837814c33f5446924ba.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	164	I63f8affb2294c837814c33f5446924ba.exe
Token: SeDebugPrivilege	3112	I63f8affb2294c837814c33f5446924ba.exe
Token: SeDebugPrivilege	4920	I63f8affb2294c837814c33f5446924ba.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 164 wrote to memory of 3540	164	I63f8affb2294c837814c33f5446924ba.exe	74
PID 164 wrote to memory of 3540	164	I63f8affb2294c837814c33f5446924ba.exe	74
PID 3540 wrote to memory of 216	3540	cmd.exe	76
PID 3540 wrote to memory of 216	3540	cmd.exe	76
PID 3540 wrote to memory of 2988	3540	cmd.exe	77
PID 3540 wrote to memory of 2988	3540	cmd.exe	77
PID 3540 wrote to memory of 1924	3540	cmd.exe	78
PID 3540 wrote to memory of 1924	3540	cmd.exe	78
PID 3540 wrote to memory of 3112	3540	cmd.exe	79
PID 3540 wrote to memory of 3112	3540	cmd.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	I63f8affb2294c837814c33f5446924ba.exe

C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe
"C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\I63f8affb2294c837814c33f5446924ba.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:216
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2988
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "I63f8affb2294c837814c33f5446924ba" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1924
- - C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
    "C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3112

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EsetSecurity\I63f8affb2294c837814c33f5446924ba.exe

Filesize
89KB

MD5
dfb3936eb972928af9ec106505364786

SHA1
06a05bf8d2675ea58e44d3fdc0d9e610be021ca8

SHA256
2d1765fd2323db0b7a1b2a4413f793bb6b3a544ed7ba19c1b0d9c4db80747a93

SHA512
e71c24d1804792be45281e70e97d909817e18d0948dcaf86b3e49d22d9f085278b8d043613f1fee0468a28f9e10218ac2cce3315e4c1575f242b324f606e950f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\I63f8affb2294c837814c33f5446924ba.exe.log

Filesize
1KB

MD5
d51a38b0538aafbb39cd4743767cf2a3

SHA1
ec819ad7959110e2244b2978e4a60e4c5e99961d

SHA256
8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22

SHA512
51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt

Filesize
82B

MD5
1d2c0986ba3c3af924ad4b8776a45190

SHA1
e4199810598c592fb4304eb37cf90d2ce2065a11

SHA256
8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2

SHA512
275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

Download Submit
C:\Users\Admin\AppData\Local\jdm9hu6p1h\port.dat

Filesize
4B

MD5
d5eca8dc3820cad9fe56a3bafda65ca1

SHA1
ed1c2eb0cebb24154dc80b9f93d9e812d00fc8d4

SHA256
8780876d4ec2824442d2e402fd7c82f1bacab29fcd7b2fcac677ee99937c09ee

SHA512
84b6534b0f6e1c167f10210f4453841f6283fff7a6eadf9e4982146087d345465db9070a2b97dba0655977b7d808c01c9932d4b761a608fed192d66b3a93bf94

Download Submit
memory/164-6-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/164-2-0x0000021447D90000-0x0000021447DA0000-memory.dmp

Filesize
64KB

Download
memory/164-0-0x000002142D790000-0x000002142D7AC000-memory.dmp

Filesize
112KB

Download
memory/164-1-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-11-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-12-0x0000022A7DFB0000-0x0000022A7DFC0000-memory.dmp

Filesize
64KB

Download
memory/3112-16-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/3112-17-0x0000022A7DFB0000-0x0000022A7DFC0000-memory.dmp

Filesize
64KB

Download
memory/4920-19-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-20-0x000002041ADF0000-0x000002041AE00000-memory.dmp

Filesize
64KB

Download
memory/4920-25-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

Filesize
9.9MB

Download
memory/4920-26-0x000002041ADF0000-0x000002041AE00000-memory.dmp

Filesize
64KB

Download