Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 12:57

General

  • Target

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

  • Size

    490KB

  • MD5

    a338043c6b5260df6b7ce4c4ec3d1b80

  • SHA1

    087a787a34ee05478bfa07b50fd39c8367b0a157

  • SHA256

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

  • SHA512

    c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

  • SSDEEP

    6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • A potential corporate email address has been identified in the URL: SjiLM_Admin@YQRLKYON_report.wsr
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2892
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5040
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2344
        • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:3168
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp" -C "C:\Users\Admin\AppData\Local\y5aox5pi99"
            4⤵
              PID:1136
            • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
              "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:2772
      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
          "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:4380
      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
          "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:3836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

        Filesize

        490KB

        MD5

        a338043c6b5260df6b7ce4c4ec3d1b80

        SHA1

        087a787a34ee05478bfa07b50fd39c8367b0a157

        SHA256

        f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

        SHA512

        c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe.log

        Filesize

        847B

        MD5

        3308a84a40841fab7dfec198b3c31af7

        SHA1

        4e7ab6336c0538be5dd7da529c0265b3b6523083

        SHA256

        169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

        SHA512

        97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

      • C:\Users\Admin\AppData\Local\Temp\tmpB277.tmp

        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

      • C:\Users\Admin\AppData\Local\y5aox5pi99\data\cached-certs

        Filesize

        18KB

        MD5

        faf2a62b3642b5a7c5f543c0702715d8

        SHA1

        e7eff4aac497b942800d2d8453a68330aec88312

        SHA256

        4503ee09b65fb26821a1e2e1009ff9d7fa00f783385266c8d80d17a65c898d2a

        SHA512

        8d640850083b1b3b4c5bf656504981486a47376161d5cedf28f53d58d795b4dd4d44d29f341486eef2740d018b61fecceb864a6a89aede5965453b0f57d779b7

      • C:\Users\Admin\AppData\Local\y5aox5pi99\data\cached-microdesc-consensus.tmp

        Filesize

        2.8MB

        MD5

        60b015590834133e034982d1b0a50a11

        SHA1

        87be108c43f309b8996f79d9f765118c0243df35

        SHA256

        96e7246185578f37210e1cf9b0f08cdb736f9f92db5d7c78d63a55a8e0139edc

        SHA512

        8d38f5199585b2f646e08038534aab372da817ec850d25147269ec8270f62a355a8d35da0d3ee478ca87cb23e97d8f35a3e36d7a39c96fdfb631a3ccaf3b5a25

      • C:\Users\Admin\AppData\Local\y5aox5pi99\data\cached-microdescs.new

        Filesize

        11.0MB

        MD5

        e5b659de042a9acac8cf6ba6c2eea762

        SHA1

        67ffc0717b30c42fd5945ae2a8d42ef2c13416af

        SHA256

        c1d00df8488487c1261d3a1331dde2d08520a871de0555e7baa8a314cc5c6618

        SHA512

        376852c85a4e0e7fa5c2aa8ff916d52cd3c1653e0e58a8b366c3e5a1d123ecddc15c155e5a28fa9b705159a6204959054b260cbf12c37e107461d561b49e4e6b

      • C:\Users\Admin\AppData\Local\y5aox5pi99\host\hostname

        Filesize

        64B

        MD5

        49e03e5a5e921944b695526513a8a803

        SHA1

        33177a2d68f89c7ba531fb73b3bd02db12e3611c

        SHA256

        947445aadbd931d2c8788ae71104b6247235c1dc45a3ccab858a9ba485bf9587

        SHA512

        c45b37a8dcd8d860bbc2fe8a00f9766eb838b8d2ed2765b2c022229800e9ee6aad4037d7e691052bc551f5497662ae13c18a6593210a0d33199f4fe636c69068

      • C:\Users\Admin\AppData\Local\y5aox5pi99\port.dat

        Filesize

        4B

        MD5

        dff8e9c2ac33381546d96deea9922999

        SHA1

        b7fe6dafb30d4f8a88653272cf36a4d37c328440

        SHA256

        82af498652ef41247a7013552a7ac0538cec5a7232eb17ad11a06f1a20956293

        SHA512

        23a3e487c61fb4bb75209d455bd90fe70cbc2530a1f9c2307e1d58dbdb6a39eeba9c2498f25d3cf02a66c320762f386b50a1fd5c639070fdd30e6b0878c1e9eb

      • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe

        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

      • C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt

        Filesize

        218B

        MD5

        f34270a1ba2d6e15a1b0ce0c7e755c34

        SHA1

        84b8863606b1cbcd5ddc5aedb902dcaf786c2a00

        SHA256

        b068c70f905fce1bbabd49241a06dae030a99f579637e17f0cd157caa51579c0

        SHA512

        c2b8d9a28b065fc99136fa505d99919167ccefb079bc2fe99ed2f6475bb4d7b38ca060f4db5d289d8368db4fafe5bef7f1b850189fb8f9bc646ed47ccaad28ea

      • memory/3168-11-0x00007FF8C0DC0000-0x00007FF8C1881000-memory.dmp

        Filesize

        10.8MB

      • memory/3168-39-0x00007FF8C0DC0000-0x00007FF8C1881000-memory.dmp

        Filesize

        10.8MB

      • memory/4420-6-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

        Filesize

        10.8MB

      • memory/4420-4-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

        Filesize

        10.8MB

      • memory/4420-0-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

        Filesize

        8KB

      • memory/4420-1-0x00000246FDE30000-0x00000246FDEB0000-memory.dmp

        Filesize

        512KB