Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/01/2025, 12:58

General

  • Target

    Chrome Update.exe

  • Size

    119KB

  • MD5

    a39f21db0576a82177ee4c806766d763

  • SHA1

    ee4676f4dedd24003ce1bd972cbce95ef51fa07f

  • SHA256

    825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

  • SHA512

    ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

  • SSDEEP

    3072:IAWfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuyn1:IAD1SWHe/bgRY

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdate

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210546

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210547

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210548

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210549

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getUpdates?offset=33210550

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/getFile?file_id=BQACAgQAAxkBAAMIZ3qCMF_cjzyyw9uX36HfJgjkWLEAAoQZAAKhZdFTilOkM3y6NaU2B

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendPhoto?chat_id=705362059

Signatures

  • Gurcu family
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

  • ToxicEye

    ToxicEye is a trojan written in C#.

  • Toxiceye family
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2260
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 4000"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3172
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3668
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4512
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3532
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4608
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7213.tmp.bat

      Filesize

      190B

      MD5

      5d5f0ce9e518a93748b389f3784eff72

      SHA1

      ca75586dbaae06fde8755e93da8fb0517d1a3755

      SHA256

      656d2baaf6661aba0953df2eceb39cdbdf7a7c147ff4ae203b78c454b3633f32

      SHA512

      9c5e55b758479850d5923edcbd70fda0587d699ac81924024b3265e23350612e7180e6ea54e8e2ae5aa7bd3da78fa991647c2d2475ae5e0a747cf86139d3ab1c

    • C:\Users\ToxicEye\rat.exe

      Filesize

      119KB

      MD5

      a39f21db0576a82177ee4c806766d763

      SHA1

      ee4676f4dedd24003ce1bd972cbce95ef51fa07f

      SHA256

      825509eb0672d6114194c773b017d5d41d9e67be4fe41f753f9c6bb37b1c32db

      SHA512

      ea07e5d6f2b8ae0fbf8c1931d844bfbff920b3c9f83d10d38bd76828ed2d8a4b849251a87f5e2ad6bb1e9d9b1e5a75520baf2b70e063f44595e058c433be1133

    • memory/3532-8-0x000001FF5F430000-0x000001FF5F4DA000-memory.dmp

      Filesize

      680KB

    • memory/3532-9-0x000001FF5F560000-0x000001FF5F5D6000-memory.dmp

      Filesize

      472KB

    • memory/4000-0-0x00007FFE8A423000-0x00007FFE8A425000-memory.dmp

      Filesize

      8KB

    • memory/4000-1-0x0000014180140000-0x0000014180164000-memory.dmp

      Filesize

      144KB

    • memory/4000-2-0x00007FFE8A420000-0x00007FFE8AEE2000-memory.dmp

      Filesize

      10.8MB

    • memory/4000-5-0x00007FFE8A420000-0x00007FFE8AEE2000-memory.dmp

      Filesize

      10.8MB

    • memory/4424-15-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-16-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-14-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-26-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-25-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-24-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-23-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-22-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-21-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB

    • memory/4424-20-0x000001E188FC0000-0x000001E188FC1000-memory.dmp

      Filesize

      4KB