Overview

overview

10

Static

static

10

D5f0a5d17c...76.exe

windows7-x64

10

D5f0a5d17c...76.exe

windows10-1703-x64

10

D5f0a5d17c...76.exe

windows10-2004-x64

10

D5f0a5d17c...76.exe

windows11-21h2-x64

10

Resubmissions

10-04-2024 02:29

240410-cy22baca54 10

10-04-2024 02:29

240410-cy2esafc8z 10

10-04-2024 02:29

240410-cy1s9aca52 10

10-04-2024 02:29

240410-cy1hgsfc8x 10

14-10-2023 01:29

231014-bwm9pshg4t 10

Analysis

  • max time kernel
    837s
  • max time network
    837s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    D5f0a5d17c7420fe49da676.exe

  • Size

    250KB

  • MD5

    24a8408510d9b173b9dc078574261d28

  • SHA1

    2ecfc788687aadbd9cc42ea311210f7cde5fa064

  • SHA256

    67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

  • SHA512

    de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

  • SSDEEP

    6144:PY6+lYxyWoekN4B2We2TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tjQ9bMXq:PxpmWHgf8Y6/Qp1nLiDKhFX

Score
10/10
gurcucollectionspywarestealer

Malware Config

Signatures

  • Detect Gurcu Stealer V3 payload 5 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe
    "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\D5f0a5d17c7420fe49da676.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2700
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2704
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "D5f0a5d17c7420fe49da676" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2784
        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2772 -s 2992
            4⤵
              PID:1176
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {6F639529-0B2C-4152-AC3F-45BCE4CB1B11} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          2⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2060
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2060 -s 3080
            3⤵
              PID:952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          37ef89dd053d1fbbbe543186fae272e7

          SHA1

          14f369999be0bded7dd6e33efcda9c20f8249600

          SHA256

          81a31386cace589d0ba4453811f1ee39651765cea86b849b71677e84bcb53e32

          SHA512

          5e8548db99ab474d84cc7a459d45ce0e65e4358960caf2969783a3e913c249cb1010a2a20868319da7f2683e9a261f44c2cbc0f4709c4543ef91862e06a8af15

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          344B

          MD5

          f6011bb04287b584c2ed1649d078152d

          SHA1

          335c86ad722f52b69786e8a379b2d6e6506b31eb

          SHA256

          e502706f1a1d64c0ac0de9415dd0b036d35cee7ea53b0e0d863a8187e894513e

          SHA512

          5f8f46181acc1ce224803ed292f78ff9b0b05e324a8db62f6594fe8eb3a643437f7f9f8db459b08f59ce77dc44f7b6f45d18215473ec5d01e7589269763398e9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
          Filesize

          242B

          MD5

          79aa8e4053032901e8f871e6a604237d

          SHA1

          67ffc2a5d989851fe5c002a82ba994d54a600198

          SHA256

          112b7f4b50afd782d8be5041831612d8faf5477a1e7d21836081ca32122b0910

          SHA512

          f2af8caefe138b3ff9f9a9c6767741fd60fc457a42ad30e0a22263118b5513980d651468d54375c4d40f346c77e8b1fb5f6e3e7e29b5be9f09249b1bf6eb9223

          Download Submit

        • C:\Users\Admin\AppData\Local\6rfb5r0uff\port.dat
          Filesize

          4B

          MD5

          5a99158e0c52f9e7d290906c9d08268d

          SHA1

          92478578ea3b5ff51120bba9153fa3997f603cdb

          SHA256

          f652f5c87c84f33899f9be3b2f62607ce5b61c68cac1f70bb4cdbb40d79b6904

          SHA512

          a049854deb93aadded095b6bc0ddf52b242f95034964b21483d91e75d80095b174306c25eeeab5b517155ae0f8760ea487836ef30cbb9f997bdc264e802cb655

          Download Submit

        • C:\Users\Admin\AppData\Local\EsetSecurity\D5f0a5d17c7420fe49da676.exe
          Filesize

          250KB

          MD5

          24a8408510d9b173b9dc078574261d28

          SHA1

          2ecfc788687aadbd9cc42ea311210f7cde5fa064

          SHA256

          67474d56996cadf242c087aeac455357bd33e79545538eeade15ae259fb3e869

          SHA512

          de51ce9f9df68a688e7a8092aa70210ba07a9d7738ea731e2e8a7e724b3fc73cd77e83f63d675f6a1def373b437af533e1fdc688ddf1bfb94477277a8e74a5a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar1CF9.tmp
          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\installUtilLog.txt
          Filesize

          82B

          MD5

          1d2c0986ba3c3af924ad4b8776a45190

          SHA1

          e4199810598c592fb4304eb37cf90d2ce2065a11

          SHA256

          8f8cc850ea7e227ba100ad943c4c9000857e39d66a0aa6a245f599e6868d04c2

          SHA512

          275f4de2999bc947be2a179aab2ed6e33d7591d3464d3ba43d3ca1b6fc0ada3aae2090f39dc3620bfcfa57824e26aba7b401145137f87115bbd4c3589a291524

          Download Submit

        • memory/2060-104-0x000007FEF49D0000-0x000007FEF53BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2060-129-0x000007FEF49D0000-0x000007FEF53BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2244-0-0x0000000000960000-0x00000000009A4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2244-5-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2244-2-0x0000000000530000-0x00000000005B0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2244-1-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2772-11-0x0000000000A20000-0x0000000000AA0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2772-10-0x000007FEF49D0000-0x000007FEF53BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2772-9-0x0000000000B10000-0x0000000000B54000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2772-101-0x000007FEF49D0000-0x000007FEF53BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2772-102-0x0000000000A20000-0x0000000000AA0000-memory.dmp

          Filesize

          512KB

          Download