Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 13:29
Static task
static1
Behavioral task
behavioral1
Sample
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe
Resource
win7-20230220-en
General
-
Target
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe
-
Size
395KB
-
MD5
32b85e5061a27630ddea16c0d4f3f9a0
-
SHA1
821e6ab0fe1fe841cf9ba24b3fc838846b4785f4
-
SHA256
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
-
SHA512
b2c52fb67df7b28e15c24a25fca350057ca7aa9bb3fed3dd67cebe60a8b73f640de0ddea8057ec54aeddb28746e01799d13b79d860b788420aff66b851e09246
-
SSDEEP
6144:WkcteyLKfKtUdaXSc1l5JPIv5VR+ExfFtzM0sRQGHRbpLje1atpBYQW:WkjyWfKt5l5og4F20sXxbljaatUQW
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1804 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1524 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1524 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.execmd.exedescription pid process target process PID 760 wrote to memory of 1804 760 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe cmd.exe PID 760 wrote to memory of 1804 760 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe cmd.exe PID 760 wrote to memory of 1804 760 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe cmd.exe PID 760 wrote to memory of 1804 760 3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe cmd.exe PID 1804 wrote to memory of 1524 1804 cmd.exe taskkill.exe PID 1804 wrote to memory of 1524 1804 cmd.exe taskkill.exe PID 1804 wrote to memory of 1524 1804 cmd.exe taskkill.exe PID 1804 wrote to memory of 1524 1804 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe"C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken