Overview

overview

10

Static

static

3

ad4f601be8...52.exe

windows7-x64

8

ad4f601be8...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe

  • Size

    580KB

  • MD5

    618cde762459c080282d9074bdf7f6f8

  • SHA1

    b4a1fa65153e4ecbe505d6e16fee69e51cd0c58c

  • SHA256

    ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952

  • SHA512

    0edc45b0b6b4ce06bdd603470c2fe70f5b7493957fa74d1c2bf5802d8f4dd377842d1d73ae686c608165f470434bf894538f7ef422faa0c897d948282df07b81

  • SSDEEP

    12288:2aNNTd2p3eZmbtueoiM4TGzqSB3VuVbfrJ/79gUkvjM5a5HGmgZq6:2eTd2pwmbQ9ibWFanavsaxGxk6

Score
10/10
gurcucredential_accessdiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6778517563:AAHWX9Uu5kbGG8tbi2AVnm_iK8s3bKlnB3M/sendDocumen

Signatures

  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe
    "C:\Users\Admin\AppData\Local\Temp\ad4f601be8e0069f4db65b7d19d066e0a58705f6a70dd4fc2982ab0de1021952.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\system32\wscript.exe
      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\D5C0.tmp\D5C1.vbs //Nologo
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4812
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2344
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\D5C0.tmp\D5C1.vbs
      Filesize

      993KB

      MD5

      5a868260808a671876a72a2bcbe51330

      SHA1

      09bdee7ba0a95ccb489c2af57abde901a9a18a69

      SHA256

      423ec3c214f5ce0db6b53c254f480aeee4eb4691404f77405fbb54617d2c047f

      SHA512

      e00f2fee3927a9ef4bd1dec4d480c64bd338ee6bb42ce3c7869962b60ff4052a5dfa9e9fa25c6b6c18ef52cbc7a25c95b7dc868ff80f0873f495cd99b7ea37f6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\D5BF.tmp\file.exe
      Filesize

      136KB

      MD5

      bab3cb62cebe3a18436fa8a60bc32754

      SHA1

      98fca3544509c24d7647f2aca85e021774a93663

      SHA256

      9a2251cd0659f32759f589124a0aec75a046d3137fcb3138dacd87c087d38768

      SHA512

      71805cb421dba13f1869382507f1ac1c1fdf0017ed65512430ca65fc711721bcf1c5eb0743a3d846e35fa8c10fd547a329b08539eff68aabff81fdec773be703

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0phdj2h.abh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2344-30-0x00000206C8B30000-0x00000206C8B52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5060-13-0x0000000000750000-0x0000000000778000-memory.dmp

      Filesize

      160KB

      Download

    • memory/5060-14-0x00007FFDF6853000-0x00007FFDF6855000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5060-15-0x00007FFDF6850000-0x00007FFDF7311000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5060-37-0x00007FFDF6853000-0x00007FFDF6855000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5060-38-0x00007FFDF6850000-0x00007FFDF7311000-memory.dmp

      Filesize

      10.8MB

      Download