gurcu | 1296fdf7b2d6d4fa60cd18069093012ffb34e7caace3da3f841d19801b9f2d30

General

Target

ScoobyExecutor.exe
Size

170KB
MD5

c5c80fe6de9dadf3f5e7a5bb88009923
SHA1

6a848d9626199d589a50ffd4ddf131a2ef9a79d2
SHA256

2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758
SHA512

f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4
SSDEEP

3072:E6A9gn36+v3pJ1hZudQln+ETgyzi/xsbzpGBisagmlDDDybbMli32bf1G5tpL/Sa:E6Pn36G5J1hEdQln+2gDs/piisagmlDB

Score

10^/10

gurcu execution persistence stealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6521061783:AAHGo13wb3m-0882W5CagssPqANw9rPoJOw/sendMessage?chat_id=5999137434

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1832	powershell.exe
4532	powershell.exe
428	powershell.exe
3656	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	ScoobyExecutor.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	ScoobyExecutor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk	ScoobyExecutor.exe

Executes dropped EXE 1 IoCs

pid	Process
1248	dllhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Local\\dllhost.exe"	ScoobyExecutor.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4704	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
316	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
864	vlc.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3656	powershell.exe
3656	powershell.exe
1832	powershell.exe
1832	powershell.exe
4532	powershell.exe
4532	powershell.exe
428	powershell.exe
428	powershell.exe
640	ScoobyExecutor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
864	vlc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	ScoobyExecutor.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	640	ScoobyExecutor.exe
Token: SeDebugPrivilege	1248	dllhost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
864	vlc.exe
864	vlc.exe
864	vlc.exe
864	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
864	vlc.exe
864	vlc.exe
864	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
640	ScoobyExecutor.exe
864	vlc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3656	640	ScoobyExecutor.exe	91
PID 640 wrote to memory of 3656	640	ScoobyExecutor.exe	91
PID 640 wrote to memory of 1832	640	ScoobyExecutor.exe	93
PID 640 wrote to memory of 1832	640	ScoobyExecutor.exe	93
PID 640 wrote to memory of 4532	640	ScoobyExecutor.exe	96
PID 640 wrote to memory of 4532	640	ScoobyExecutor.exe	96
PID 640 wrote to memory of 428	640	ScoobyExecutor.exe	98
PID 640 wrote to memory of 428	640	ScoobyExecutor.exe	98
PID 640 wrote to memory of 316	640	ScoobyExecutor.exe	100
PID 640 wrote to memory of 316	640	ScoobyExecutor.exe	100
PID 640 wrote to memory of 4192	640	ScoobyExecutor.exe	110
PID 640 wrote to memory of 4192	640	ScoobyExecutor.exe	110
PID 640 wrote to memory of 2820	640	ScoobyExecutor.exe	112
PID 640 wrote to memory of 2820	640	ScoobyExecutor.exe	112
PID 2820 wrote to memory of 4704	2820	cmd.exe	114
PID 2820 wrote to memory of 4704	2820	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ScoobyExecutor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ScoobyExecutor.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dllhost" /tr "C:\Users\Admin\AppData\Local\dllhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:316
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "dllhost"
  2⤵
  PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6EA3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4704

C:\Users\Admin\AppData\Local\dllhost.exe
C:\Users\Admin\AppData\Local\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2844

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceCheckpoint.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FUCK YOU.txt
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c050965e79d4d9794135afec5a6ce2b4

SHA1
a004aef44c4a5efccf5c34e6472b6fa9582e29fe

SHA256
5225f1b079703c11f751062c564b29af62ddb3f475efda59d3b52f9d9dfb3dff

SHA512
395bab0a88feb468a9bacca8ffeb3cb7ecc25983a9c3063793b4c6ea92259afa9dcce902e3acca9c4529b2569f61eaaa3b7c54b225eccf4f31d004d31c7bec0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qu1nq5qx.cjq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EA3.tmp.bat

Filesize
166B

MD5
442937b095e3961b5fdc26ca4f5bbad3

SHA1
2caeb42a958826181dccb71af4182c33a2ca83d6

SHA256
8053aa74df657abec8db485390e606511636b2bf965471d8737683beae34d892

SHA512
d56bb2028e8f901c58b780a9856e30492a76113c36207970dac32ebbeb305d8ba2f92682c241f120c850485dbb68762e0603d7245a488c67f1feaeef765fe6cd

Download Submit
C:\Users\Admin\AppData\Local\dllhost.exe

Filesize
170KB

MD5
c5c80fe6de9dadf3f5e7a5bb88009923

SHA1
6a848d9626199d589a50ffd4ddf131a2ef9a79d2

SHA256
2e0c46ab1c5d954024d794629354ab7651c2a5f4ec25ae838769d0231dec7758

SHA512
f30fb62cd116d45f8fa29bbee962fa021a8a5f4977750344f15e51b320c8fdc7bfeb70a4f30b16c1f079212e0be397cd698e5b83cebb1a7dcd6c91ec7cd501c4

Download Submit
C:\Users\Admin\Desktop\HideRestore.xlsx

Filesize
13KB

MD5
2b67d0470394f08cf4235e2ac9bfe2bc

SHA1
35127d6c89bbc06fbdacffcf72d7eaa90ede3fa7

SHA256
dc6d8af834870b8fa8cd157949070ee613572b2c4f869a81dd6cadaa57616cae

SHA512
31d9197ab5829447b5c600e240a4507f9dcdebe8b450195ca819c523817204235da8c50878c294035a90c53895824c13ab62df98cbeb8dc0621d63d9f31da2f5

Download Submit
memory/640-67-0x000000001D560000-0x000000001D56C000-memory.dmp

Filesize
48KB

Download
memory/640-64-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/640-1-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/640-2-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/640-75-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/640-57-0x000000001C190000-0x000000001C292000-memory.dmp

Filesize
1.0MB

Download
memory/640-74-0x000000001C190000-0x000000001C292000-memory.dmp

Filesize
1.0MB

Download
memory/640-61-0x000000001CB10000-0x000000001CB1A000-memory.dmp

Filesize
40KB

Download
memory/640-62-0x00007FFD14F23000-0x00007FFD14F25000-memory.dmp

Filesize
8KB

Download
memory/640-0-0x00007FFD14F23000-0x00007FFD14F25000-memory.dmp

Filesize
8KB

Download
memory/864-86-0x00007FFD24930000-0x00007FFD24964000-memory.dmp

Filesize
208KB

Download
memory/864-85-0x00007FF6E5A70000-0x00007FF6E5B68000-memory.dmp

Filesize
992KB

Download
memory/864-87-0x00007FFD14950000-0x00007FFD14C06000-memory.dmp

Filesize
2.7MB

Download
memory/864-88-0x00007FFD12510000-0x00007FFD135C0000-memory.dmp

Filesize
16.7MB

Download
memory/3656-18-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-8-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-13-0x0000015426E70000-0x0000015426E92000-memory.dmp

Filesize
136KB

Download
memory/3656-14-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-15-0x00007FFD14F20000-0x00007FFD159E1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads