Overview

overview

10

Static

static

3

main.exe

windows7-x64

7

main.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    main.exe

  • Size

    5.6MB

  • MD5

    3d3c49dd5d13a242b436e0a065cd6837

  • SHA1

    e38a773ffa08452c449ca5a880d89cfad24b6f1b

  • SHA256

    e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

  • SHA512

    dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

  • SSDEEP

    98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR6s:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciY

Score
10/10
gurcumilleniumratpersistenceratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

    ratstealermilleniumrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 756"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2856
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1084
        • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
          "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2168
            • C:\Windows\system32\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
      Filesize

      1.7MB

      MD5

      65ccd6ecb99899083d43f7c24eb8f869

      SHA1

      27037a9470cc5ed177c0b6688495f3a51996a023

      SHA256

      aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

      SHA512

      533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat
      Filesize

      255B

      MD5

      eefc891777cefb27b5f4bd1627001bc0

      SHA1

      bdb5d4cc5b7d4c03238fadfb2100359caf2e0155

      SHA256

      8c8eec43144b64f40d23d0d7a5b5428d8e55f3677bcfaf9edc2ad1de8d7ea0d9

      SHA512

      2120dfc9488c9bec949de65f0eaaed3c24bc08ab96de2e8d2c0799dbae0017917995db8849e3abd581503b9078b140fb2244e41466799d1e23733fab5699908b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
      Filesize

      5.6MB

      MD5

      3d3c49dd5d13a242b436e0a065cd6837

      SHA1

      e38a773ffa08452c449ca5a880d89cfad24b6f1b

      SHA256

      e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

      SHA512

      dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

      Download Submit

    • memory/756-12-0x00007FFFEFFC0000-0x00007FFFF0A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/756-7-0x00007FFFEFFC0000-0x00007FFFF0A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/756-8-0x000001A4CE1A0000-0x000001A4CE1BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/756-0-0x00007FFFEFFC3000-0x00007FFFEFFC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/756-6-0x000001A4E69F0000-0x000001A4E6A66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/756-1-0x000001A4CC020000-0x000001A4CC5C0000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4200-19-0x00000196E2400000-0x00000196E240A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4200-20-0x00000196E2480000-0x00000196E24EA000-memory.dmp

      Filesize

      424KB

      Download

    • memory/4200-23-0x00000196E3370000-0x00000196E33AA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4200-24-0x00000196E20E0000-0x00000196E2106000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4200-42-0x00000196E3350000-0x00000196E3362000-memory.dmp

      Filesize

      72KB

      Download