Overview

overview

10

Static

static

3

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    308KB

  • MD5

    d5b8ac0d80c99e7dda0d9df17c159f3d

  • SHA1

    ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a

  • SHA256

    c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78

  • SHA512

    2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc

  • SSDEEP

    6144:+MW2MDA5DDzwLLoMC9YsbxE0UyRtXpJldoopDIrhi7m:EREZELLoMeYkxEgJzTp

Score
10/10
gurcucollectiondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7722280561:AAEgRsAuRdqeD2qmEUjdhEM6F9R5eAxwIT4/sendMessage?chat_id=7734728653

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1360
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        3⤵
        • System Network Configuration Discovery: Wi-Fi Discovery
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1448
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:3248
          • C:\Windows\system32\findstr.exe
            findstr /R /C:"[ ]:[ ]"
            4⤵
              PID:5012
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Windows\system32\chcp.com
              chcp 65001
              4⤵
                PID:4496
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                4⤵
                • Event Triggered Execution: Netsh Helper DLL
                PID:2860
              • C:\Windows\system32\findstr.exe
                findstr "SSID BSSID Signal"
                4⤵
                  PID:752
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:320
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  4⤵
                    PID:4188
                  • C:\Windows\system32\timeout.exe
                    timeout /t 3
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4912

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\build.exe
              Filesize

              223KB

              MD5

              ecc94919c7d1385d489961b21af97328

              SHA1

              82f01aac4fdeb34ec23900d73b64beb01ea5a843

              SHA256

              f47224fc9bd939839623ac7eb8f86d735d0dcd8ba7b2c256125850efd6401059

              SHA512

              87213dfdd9901788de45572630d766739c3fa262624f3c891620d0624b1d32d908f529859ae106ed1e0b7d203c0a986db1198e226c2cf0e6070837d40ec13190

              Download Submit

            • memory/1360-15-0x00007FFC0D7F3000-0x00007FFC0D7F5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1360-16-0x000001F781FC0000-0x000001F781FF8000-memory.dmp

              Filesize

              224KB

              Download

            • memory/1360-18-0x00007FFC0D7F0000-0x00007FFC0E2B1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1360-19-0x00007FFC0D7F3000-0x00007FFC0D7F5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1360-20-0x00007FFC0D7F0000-0x00007FFC0E2B1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1360-23-0x00007FFC0D7F0000-0x00007FFC0E2B1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3808-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3808-1-0x0000000000120000-0x0000000000174000-memory.dmp

              Filesize

              336KB

              Download

            • memory/3808-3-0x0000000074AB0000-0x0000000075260000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3808-17-0x0000000074AB0000-0x0000000075260000-memory.dmp

              Filesize

              7.7MB

              Download