Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 02:00
Static task
static1
Behavioral task
behavioral1
Sample
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe
Resource
win7-20230220-en
General
-
Target
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe
-
Size
286KB
-
MD5
c539e1b35b57d8924a24e156bfcc7975
-
SHA1
41be2de44376f7cc477d9213867f288702fc9a8d
-
SHA256
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f
-
SHA512
8019d2e229244e74228fc1dbe1ac0a21eca864ab355e70ac54c29959c31f12511883f5ea218e424e81cb511183e7fabbe0f3bc87c9d3bd7436bfe42c58ee56b9
-
SSDEEP
3072:PpyvhHX7mjjOOM+WCBSi1pm64MlT6pb7gI7DOr2mntlMwGiphVBVda5MWaOiuCPg:xSCjvhbmWlQ7PyztHphna5DRiuIq59P
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1764 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1464 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1464 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.execmd.exedescription pid process target process PID 1616 wrote to memory of 1764 1616 ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe cmd.exe PID 1616 wrote to memory of 1764 1616 ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe cmd.exe PID 1616 wrote to memory of 1764 1616 ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe cmd.exe PID 1616 wrote to memory of 1764 1616 ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe cmd.exe PID 1764 wrote to memory of 1464 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 1464 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 1464 1764 cmd.exe taskkill.exe PID 1764 wrote to memory of 1464 1764 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe"C:\Users\Admin\AppData\Local\Temp\ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ce53630e164fefbd80810e812308044a6c6705ae6c797aa680c0952b1b28c15f.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken