Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 13:29
Static task
static1
Behavioral task
behavioral1
Sample
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe
Resource
win7-20230220-en
General
-
Target
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe
-
Size
382KB
-
MD5
0b210149771c6be2ed5b6b35a5cce602
-
SHA1
0eb97fd3876ad888b1a9c6eae468ff607a3cf6d3
-
SHA256
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c
-
SHA512
82d1871482bd12cbfa280faaafb1714ad52f6eed816584503583a3d6954e121c019c31f1414dd7c0ca23b081e63f8cf79e6b9766b7ad814aa3f6bb90fac29799
-
SSDEEP
6144:De/8LygqoByTolrDZkS/C12BZphqoLZ4PUyym3wVLvuVNG23BO:DQ8WgWopZkmCkZphqo2PUyB3wRGV42
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2016 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 768 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 768 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.execmd.exedescription pid process target process PID 1220 wrote to memory of 2016 1220 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 1220 wrote to memory of 2016 1220 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 1220 wrote to memory of 2016 1220 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 1220 wrote to memory of 2016 1220 efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe cmd.exe PID 2016 wrote to memory of 768 2016 cmd.exe taskkill.exe PID 2016 wrote to memory of 768 2016 cmd.exe taskkill.exe PID 2016 wrote to memory of 768 2016 cmd.exe taskkill.exe PID 2016 wrote to memory of 768 2016 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe"C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "efae384fcbecbe561ae78555645c7eb4cf49bad9a3af6204b584b3572d18fd5c.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken