Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 12:06

General

  • Target

    a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe

  • Size

    5.6MB

  • MD5

    1d0701d8fdc16df25fa0249b59aab042

  • SHA1

    6028426f7e0a712a1aeae28d986337aafae26abe

  • SHA256

    a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

  • SHA512

    f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17

  • SSDEEP

    98304:tJRl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcA:tWOuK6mn9NzgMoYkSIvUcwti7TQlvciP

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendMessage?chat_id=7538374929

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/getUpdates?offset=-

https://api.telegram.org/bot7733030005:AAEneIh4MdJeCVQCr4Pys9pel6q03FCPCi0/sendDocument?chat_id=7538374929&caption=%F0%9F%93%B8Screenshot%20take

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • MilleniumRat

    MilleniumRat is a remote access trojan written in C#.

  • Milleniumrat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe
    "C:\Users\Admin\AppData\Local\Temp\a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA5E5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA5E5.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2580
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 3156"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4944
        • C:\Windows\system32\find.exe
          find ":"
          3⤵
            PID:680
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            3⤵
            • Delays execution with timeout.exe
            PID:2772
          • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Regkey.exe
            "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Regkey.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2064

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

        Filesize

        1.7MB

        MD5

        65ccd6ecb99899083d43f7c24eb8f869

        SHA1

        27037a9470cc5ed177c0b6688495f3a51996a023

        SHA256

        aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

        SHA512

        533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

      • C:\Users\Admin\AppData\Local\Temp\tmpA5E5.tmp.bat

        Filesize

        286B

        MD5

        404a731958b60b6746f01947a706395b

        SHA1

        0c10447c12bda07c3acf685dee86a1cca6c16b4c

        SHA256

        5907ce897fa03cf0c1b4739961d930f0741864e927a628c47793377b563b0c8e

        SHA512

        73c7a48306bbc3e3cc9b1a54fded2f2135b650a9cd12f53d4b3d708f974af539fa059bc6d87d49919c73259a7ab3ed8fe483182dece79f75c2d7946948834b10

      • C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Regkey.exe

        Filesize

        5.6MB

        MD5

        1d0701d8fdc16df25fa0249b59aab042

        SHA1

        6028426f7e0a712a1aeae28d986337aafae26abe

        SHA256

        a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9

        SHA512

        f1e2cf861b86af37094192c7d110640c630944cee00542c7133fce703584e4ed08a3dae76c0c1afd30c4890e66d482fcc17c1eeb434ec711586c7ff0130c9e17

      • memory/2064-23-0x000001F6FE7D0000-0x000001F6FE820000-memory.dmp

        Filesize

        320KB

      • memory/2064-24-0x000001F6FE820000-0x000001F6FE842000-memory.dmp

        Filesize

        136KB

      • memory/2064-47-0x000001F6FF7F0000-0x000001F6FF802000-memory.dmp

        Filesize

        72KB

      • memory/2064-28-0x000001F6FF4C0000-0x000001F6FF7EE000-memory.dmp

        Filesize

        3.2MB

      • memory/2064-27-0x000001F6FE850000-0x000001F6FE876000-memory.dmp

        Filesize

        152KB

      • memory/2064-26-0x000001F6FF480000-0x000001F6FF4BA000-memory.dmp

        Filesize

        232KB

      • memory/2064-22-0x000001F6FE6D0000-0x000001F6FE782000-memory.dmp

        Filesize

        712KB

      • memory/2064-20-0x000001F6FE660000-0x000001F6FE6CA000-memory.dmp

        Filesize

        424KB

      • memory/3156-1-0x000001C2EBF20000-0x000001C2EC4C2000-memory.dmp

        Filesize

        5.6MB

      • memory/3156-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

        Filesize

        8KB

      • memory/3156-7-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

        Filesize

        10.8MB

      • memory/3156-6-0x000001C2EE9E0000-0x000001C2EEA56000-memory.dmp

        Filesize

        472KB

      • memory/3156-13-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

        Filesize

        10.8MB

      • memory/3156-9-0x000001C2EE200000-0x000001C2EE20A000-memory.dmp

        Filesize

        40KB

      • memory/3156-8-0x000001C2EE1E0000-0x000001C2EE1FE000-memory.dmp

        Filesize

        120KB