Overview

overview

10

Static

static

10

f7b02278a2...50.exe

windows7-x64

10

f7b02278a2...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe

  • Size

    490KB

  • MD5

    a338043c6b5260df6b7ce4c4ec3d1b80

  • SHA1

    087a787a34ee05478bfa07b50fd39c8367b0a157

  • SHA256

    f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

  • SHA512

    c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

  • SSDEEP

    6144:/6ho3IhHN5ya1R64TxT8jWHgf8YJkVHC++VeQPBZnq0LZYSwFxQx9tw39b5wGuJB:irhtHxpmWHgf8Y6/Qp1nLiDKIwf

Score
10/10
gurcucollectiondiscoveryphishingspywarestealer

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6104192483:AAFCcnr4FR2XCO83zUSAWWZ9J3qw4tRYQoI/sendMessage?chat_id=2076277850

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • A potential corporate email address has been identified in the URL: MJAHk_Admin@GUMLNLFE_report.wsr
    phishing
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
    "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3200
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3904
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2496
        • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
          "C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2848
          • C:\Windows\System32\tar.exe
            "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpB352.tmp" -C "C:\Users\Admin\AppData\Local\y5aox5pi99"
            4⤵
              PID:2904
            • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
              "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
              4⤵
              • Executes dropped EXE
              PID:2552
      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
          "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2976
      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
          "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:2524
      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
          "C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt"
          2⤵
          • Executes dropped EXE
          PID:1792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\EsetSecurity\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe
        Filesize

        490KB

        MD5

        a338043c6b5260df6b7ce4c4ec3d1b80

        SHA1

        087a787a34ee05478bfa07b50fd39c8367b0a157

        SHA256

        f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50

        SHA512

        c81b2f1aac6d249d43b485e8e536c22a8f44da09e31f118f9ddfd0f1ef6d1eba4b67e96d087b2148f45dc93e0de5ba0178c422088e110a40544a7b3b2ff4fccf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f7b02278a2310a2657dcca702188af461ce8450dc0c5bced802773ca8eab6f50.exe.log
        Filesize

        847B

        MD5

        3308a84a40841fab7dfec198b3c31af7

        SHA1

        4e7ab6336c0538be5dd7da529c0265b3b6523083

        SHA256

        169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

        SHA512

        97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpB352.tmp
        Filesize

        13.3MB

        MD5

        89d2d5811c1aff539bb355f15f3ddad0

        SHA1

        5bb3577c25b6d323d927200c48cd184a3e27c873

        SHA256

        b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

        SHA512

        39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\data\cached-microdesc-consensus.tmp
        Filesize

        2.8MB

        MD5

        60b015590834133e034982d1b0a50a11

        SHA1

        87be108c43f309b8996f79d9f765118c0243df35

        SHA256

        96e7246185578f37210e1cf9b0f08cdb736f9f92db5d7c78d63a55a8e0139edc

        SHA512

        8d38f5199585b2f646e08038534aab372da817ec850d25147269ec8270f62a355a8d35da0d3ee478ca87cb23e97d8f35a3e36d7a39c96fdfb631a3ccaf3b5a25

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\data\cached-microdescs.new
        Filesize

        7.9MB

        MD5

        b6356bc8a6660b24a204ab5f98a9ac82

        SHA1

        7af7ae8176dcac760a604ca2f793ecb2196db9a4

        SHA256

        1dce196c0567d7d6e35982da8005e8aa4952474059cde98b0ef4830083f68e9c

        SHA512

        eb93dba2d3b1838d9da899e1428f5b3a3af000411745d6283d96c768a45862458551b520bd795fbf5e853a9945ea7b9c069d0c86d2044e457fa98cc9bd5fbb38

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\host\hostname
        Filesize

        64B

        MD5

        4732bbcec36c9bfa0f98c73e7591ec05

        SHA1

        5f1ef39c74fb83723b15bd75fb883ceecca1c522

        SHA256

        ee01e565c6572e80767c1357877cf3a5ed1b18c87afa4eedb5322c4ece1fe5fa

        SHA512

        3334c1785ebbb515124ff02318af764bd3fc5a7216b6f00450adb699618cf1daf0d01fb9e37f9a0096aea9ad84e22f89a9d24cefc9a37be71794b20828be7170

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\port.dat
        Filesize

        4B

        MD5

        d3e0f226df6865b28fb677548370f467

        SHA1

        dad97feeb29459f49b8b8172b8ff8ed728054fa7

        SHA256

        a473459996b96ce015e4f44fc3f3ab3d8033d0514fd5504be6e9d71ef995a765

        SHA512

        b2f99f2a43e87a3080d13dd0ac0ddae9fa59cd911a9112b45d8787698e6e95a30d89705a92bb362a27cd0a0a0f50afa275101b37af2ecf63773b6dab618b7a71

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\tor\tor.exe
        Filesize

        7.4MB

        MD5

        88590909765350c0d70c6c34b1f31dd2

        SHA1

        129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

        SHA256

        46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

        SHA512

        a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

        Download Submit

      • C:\Users\Admin\AppData\Local\y5aox5pi99\torrc.txt
        Filesize

        218B

        MD5

        4a0cfe2e5cc289e13e84e3cc3dcdff5f

        SHA1

        46fe377d4c974dd628554bacaa1c1df1900dc06b

        SHA256

        092fc1c0bf07544f66656f4694b3ebc93a8ad14f3499bf5db67b4970fd0c7200

        SHA512

        130cef0d6b60f2921ec60f4d825d52d08a8db5dffc480094921e1cfbc77a781e871cb0851854bf9937d2d5d24dab223901ef857267aa3643a4b510847673f680

        Download Submit

      • memory/1216-6-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1216-0-0x00007FF909AE3000-0x00007FF909AE5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1216-4-0x00007FF909AE0000-0x00007FF90A5A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1216-1-0x0000022A8D410000-0x0000022A8D490000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2848-11-0x00007FF909400000-0x00007FF909EC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2848-39-0x00007FF909400000-0x00007FF909EC1000-memory.dmp

        Filesize

        10.8MB

        Download