Analysis
-
max time kernel
111s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 14:36
Static task
static1
Behavioral task
behavioral1
Sample
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
Resource
win7-20230220-en
General
-
Target
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
-
Size
312KB
-
MD5
ae3afa452244676d55392d13204a9f67
-
SHA1
cbfb355b8cb2aad2ddeded588358491083bb2306
-
SHA256
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282
-
SHA512
c6b2b5f5587fa78dba3f500e31e353f2fb28056ce4e031f377f4c4af7d6a9e8a1b548025954ed0c1b181f326003090e459b8c298416c136a3b8ebf3ec1cbc97d
-
SSDEEP
6144:q6xqXIQqjW59PnLC4NjserDQjwHgb8D7mpjY0GU:1oXIQqjsNnLC4NjXUqm8
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3196 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 2084 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 3104 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 1348 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 1008 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 1852 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 2396 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe 3076 2196 WerFault.exe 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1108 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1108 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.execmd.exedescription pid process target process PID 2196 wrote to memory of 5088 2196 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe cmd.exe PID 2196 wrote to memory of 5088 2196 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe cmd.exe PID 2196 wrote to memory of 5088 2196 42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe cmd.exe PID 5088 wrote to memory of 1108 5088 cmd.exe taskkill.exe PID 5088 wrote to memory of 1108 5088 cmd.exe taskkill.exe PID 5088 wrote to memory of 1108 5088 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe"C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 6922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 7842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9522⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 9762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 21961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 21961⤵