General
-
Target
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
Size
201KB
-
Sample
241027-m2rd4avmaz
-
MD5
c595d96742a883a534ed1ca1f0d279d1
-
SHA1
c465daa9e5bd998ef39c59f80f82f79cc75ce659
-
SHA256
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
SHA512
142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b
-
SSDEEP
6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD
Static task
static1
Behavioral task
behavioral1
Sample
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
Resource
win10v2004-20241007-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615
Targets
-
-
Target
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
Size
201KB
-
MD5
c595d96742a883a534ed1ca1f0d279d1
-
SHA1
c465daa9e5bd998ef39c59f80f82f79cc75ce659
-
SHA256
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
SHA512
142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b
-
SSDEEP
6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD
-
Gurcu family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Deobfuscate/Decode Files or Information
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1