Analysis
-
max time kernel
118s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-10-2021 12:08
Static task
static1
Behavioral task
behavioral1
Sample
mixseven_20211024-140758.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
mixseven_20211024-140758.exe
Resource
win10-en-20210920
General
-
Target
mixseven_20211024-140758.exe
-
Size
382KB
-
MD5
4980013187df2039a603f83d1c1fa9a4
-
SHA1
08356b1f3fb2755bcf6442822a7b4c142790789b
-
SHA256
65c4a1e7aaa3266fd6efbf8b1d041b366178718452012a97c7e2542b49766b68
-
SHA512
e39557d720d0a5bde26e279f9eed15567f57ed34b2759027a6bc8ad6302cdc9fb64558f4bf053f7fd2e2d4848dcce1679159af3234ec0dcd474efe631ff20114
Malware Config
Signatures
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1872 3712 WerFault.exe mixseven_20211024-140758.exe 668 3712 WerFault.exe mixseven_20211024-140758.exe 448 3712 WerFault.exe mixseven_20211024-140758.exe 1396 3712 WerFault.exe mixseven_20211024-140758.exe 3044 3712 WerFault.exe mixseven_20211024-140758.exe 1288 3712 WerFault.exe mixseven_20211024-140758.exe 2440 3712 WerFault.exe mixseven_20211024-140758.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2388 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 668 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 448 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 3044 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exetaskkill.exedescription pid process Token: SeRestorePrivilege 1872 WerFault.exe Token: SeBackupPrivilege 1872 WerFault.exe Token: SeDebugPrivilege 1872 WerFault.exe Token: SeDebugPrivilege 668 WerFault.exe Token: SeDebugPrivilege 448 WerFault.exe Token: SeDebugPrivilege 1396 WerFault.exe Token: SeDebugPrivilege 3044 WerFault.exe Token: SeDebugPrivilege 1288 WerFault.exe Token: SeDebugPrivilege 2440 WerFault.exe Token: SeDebugPrivilege 2388 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
mixseven_20211024-140758.execmd.exedescription pid process target process PID 3712 wrote to memory of 2492 3712 mixseven_20211024-140758.exe cmd.exe PID 3712 wrote to memory of 2492 3712 mixseven_20211024-140758.exe cmd.exe PID 3712 wrote to memory of 2492 3712 mixseven_20211024-140758.exe cmd.exe PID 2492 wrote to memory of 2388 2492 cmd.exe taskkill.exe PID 2492 wrote to memory of 2388 2492 cmd.exe taskkill.exe PID 2492 wrote to memory of 2388 2492 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixseven_20211024-140758.exe"C:\Users\Admin\AppData\Local\Temp\mixseven_20211024-140758.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 6562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 7682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 7442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 7642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 9122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 11482⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "mixseven_20211024-140758.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mixseven_20211024-140758.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "mixseven_20211024-140758.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388