Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
c539e1b35b57d8924a24e156bfcc7975.exe
Resource
win7-20230220-en
General
-
Target
c539e1b35b57d8924a24e156bfcc7975.exe
-
Size
286KB
-
MD5
c539e1b35b57d8924a24e156bfcc7975
-
SHA1
41be2de44376f7cc477d9213867f288702fc9a8d
-
SHA256
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
-
SHA512
8019d2e229244e74228fc1dbe1ac0a21eca864ab355e70ac54c29959c31f12511883f5ea218e424e81cb511183e7fabbe0f3bc87c9d3bd7436bfe42c58ee56b9
-
SSDEEP
3072:PpyvhHX7mjjOOM+WCBSi1pm64MlT6pb7gI7DOr2mntlMwGiphVBVda5MWaOiuCPg:xSCjvhbmWlQ7PyztHphna5DRiuIq59P
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1420 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 512 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 512 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c539e1b35b57d8924a24e156bfcc7975.execmd.exedescription pid process target process PID 2032 wrote to memory of 1420 2032 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 2032 wrote to memory of 1420 2032 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 2032 wrote to memory of 1420 2032 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 2032 wrote to memory of 1420 2032 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 1420 wrote to memory of 512 1420 cmd.exe taskkill.exe PID 1420 wrote to memory of 512 1420 cmd.exe taskkill.exe PID 1420 wrote to memory of 512 1420 cmd.exe taskkill.exe PID 1420 wrote to memory of 512 1420 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe"C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "c539e1b35b57d8924a24e156bfcc7975.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "c539e1b35b57d8924a24e156bfcc7975.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken