Analysis
-
max time kernel
114s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 21:30
Static task
static1
Behavioral task
behavioral1
Sample
c539e1b35b57d8924a24e156bfcc7975.exe
Resource
win7-20230220-en
General
-
Target
c539e1b35b57d8924a24e156bfcc7975.exe
-
Size
286KB
-
MD5
c539e1b35b57d8924a24e156bfcc7975
-
SHA1
41be2de44376f7cc477d9213867f288702fc9a8d
-
SHA256
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
-
SHA512
8019d2e229244e74228fc1dbe1ac0a21eca864ab355e70ac54c29959c31f12511883f5ea218e424e81cb511183e7fabbe0f3bc87c9d3bd7436bfe42c58ee56b9
-
SSDEEP
3072:PpyvhHX7mjjOOM+WCBSi1pm64MlT6pb7gI7DOr2mntlMwGiphVBVda5MWaOiuCPg:xSCjvhbmWlQ7PyztHphna5DRiuIq59P
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c539e1b35b57d8924a24e156bfcc7975.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation c539e1b35b57d8924a24e156bfcc7975.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4640 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 1544 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 624 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 232 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 4956 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 4724 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 4864 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 4148 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe 3540 4604 WerFault.exe c539e1b35b57d8924a24e156bfcc7975.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3776 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3776 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c539e1b35b57d8924a24e156bfcc7975.execmd.exedescription pid process target process PID 4604 wrote to memory of 3820 4604 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 4604 wrote to memory of 3820 4604 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 4604 wrote to memory of 3820 4604 c539e1b35b57d8924a24e156bfcc7975.exe cmd.exe PID 3820 wrote to memory of 3776 3820 cmd.exe taskkill.exe PID 3820 wrote to memory of 3776 3820 cmd.exe taskkill.exe PID 3820 wrote to memory of 3776 3820 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe"C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 7722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 7722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 8362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 9282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 9282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 13642⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "c539e1b35b57d8924a24e156bfcc7975.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c539e1b35b57d8924a24e156bfcc7975.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "c539e1b35b57d8924a24e156bfcc7975.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 14082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4604 -ip 46041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4604 -ip 46041⤵