Analysis
-
max time kernel
90s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2023, 05:49
Static task
static1
Behavioral task
behavioral1
Sample
8cf58eb83d5a060190cd796c301ed34b.exe
Resource
win7-20230621-en
General
-
Target
8cf58eb83d5a060190cd796c301ed34b.exe
-
Size
2.6MB
-
MD5
8cf58eb83d5a060190cd796c301ed34b
-
SHA1
9aacc01d979dc768e9de2f31766c1d1f30efd0e0
-
SHA256
21aae3b5858a7847209d808316c742eee59080d0999ace4c1b7ff4c03c6072f8
-
SHA512
f4a7329d2bca3402eac6d4fcf44ce01056a7badb8643e2495bd8933f546f83a2caeb02f0c7e3b09fca20a9929e570e969df8590613fc2387965d72a693700615
-
SSDEEP
49152:tG/qz0PLIfDCRkDNDHdePgbtSNGu7xWCLlz0ZQIACGcd16Fxh:ICz0P8LCGJD92gJSPMCped167h
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation FreeSpacer626.exe -
Executes dropped EXE 3 IoCs
pid Process 3928 is-14P94.tmp 2616 FreeSpacer626.exe 4376 TKts2hJHd.exe -
Loads dropped DLL 1 IoCs
pid Process 3928 is-14P94.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-6V196.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-788TC.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-UKSE1.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Config\is-FT7KN.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-OOU7J.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-8GIMP.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-KGK4G.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Config\is-98G8M.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-BNNHR.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-0TLAH.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-318P9.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-66PC9.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-VA2O1.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-6P6BT.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-FVUPD.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-U1B0L.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-ENT0P.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-LTFR6.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-94UEJ.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-HP6B4.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-1O5T5.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-34H0H.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-3SGS8.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-K9RT4.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-EVLGF.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-6NCFE.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-PHDIG.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-6EJIG.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-D75C7.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-7DHRT.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-BKCC3.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-S6HP8.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Config\is-HSQTP.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-H01L1.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-CA4AC.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-J2O3U.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-HIDUU.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-HRU4J.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-9GLFB.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-D818D.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-V2HT6.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-VBVQD.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-2SIBV.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-O44K2.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-PS82U.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-HA39Q.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-C5SQR.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-PACVD.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-UNK65.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-L0PLE.tmp is-14P94.tmp File opened for modification C:\Program Files (x86)\FreeSpacer626\unins000.dat is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-PR765.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Config\is-D49Q5.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-J28K2.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-NV5K7.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-K0AC6.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-Q0SJ4.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-VTJLR.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-7UJ53.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\is-AU758.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-A7H2T.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-E3VFP.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-USGME.tmp is-14P94.tmp File created C:\Program Files (x86)\FreeSpacer626\Skins\Blue\is-T0PEL.tmp is-14P94.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 4996 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2616 FreeSpacer626.exe 2616 FreeSpacer626.exe 2616 FreeSpacer626.exe 2616 FreeSpacer626.exe 2616 FreeSpacer626.exe 2616 FreeSpacer626.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4996 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1480 wrote to memory of 3928 1480 8cf58eb83d5a060190cd796c301ed34b.exe 84 PID 1480 wrote to memory of 3928 1480 8cf58eb83d5a060190cd796c301ed34b.exe 84 PID 1480 wrote to memory of 3928 1480 8cf58eb83d5a060190cd796c301ed34b.exe 84 PID 3928 wrote to memory of 4916 3928 is-14P94.tmp 85 PID 3928 wrote to memory of 4916 3928 is-14P94.tmp 85 PID 3928 wrote to memory of 4916 3928 is-14P94.tmp 85 PID 3928 wrote to memory of 2616 3928 is-14P94.tmp 87 PID 3928 wrote to memory of 2616 3928 is-14P94.tmp 87 PID 3928 wrote to memory of 2616 3928 is-14P94.tmp 87 PID 4916 wrote to memory of 3320 4916 net.exe 88 PID 4916 wrote to memory of 3320 4916 net.exe 88 PID 4916 wrote to memory of 3320 4916 net.exe 88 PID 2616 wrote to memory of 4376 2616 FreeSpacer626.exe 89 PID 2616 wrote to memory of 4376 2616 FreeSpacer626.exe 89 PID 2616 wrote to memory of 4376 2616 FreeSpacer626.exe 89 PID 2616 wrote to memory of 2264 2616 FreeSpacer626.exe 93 PID 2616 wrote to memory of 2264 2616 FreeSpacer626.exe 93 PID 2616 wrote to memory of 2264 2616 FreeSpacer626.exe 93 PID 2264 wrote to memory of 4996 2264 cmd.exe 95 PID 2264 wrote to memory of 4996 2264 cmd.exe 95 PID 2264 wrote to memory of 4996 2264 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf58eb83d5a060190cd796c301ed34b.exe"C:\Users\Admin\AppData\Local\Temp\8cf58eb83d5a060190cd796c301ed34b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\is-P941U.tmp\is-14P94.tmp"C:\Users\Admin\AppData\Local\Temp\is-P941U.tmp\is-14P94.tmp" /SL4 $110054 "C:\Users\Admin\AppData\Local\Temp\8cf58eb83d5a060190cd796c301ed34b.exe" 2348199 5939202⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 263⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 264⤵PID:3320
-
-
-
C:\Program Files (x86)\FreeSpacer626\FreeSpacer626.exe"C:\Program Files (x86)\FreeSpacer626\FreeSpacer626.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\{d4949740-1050-11ee-beb7-806e6f6e6963}\TKts2hJHd.exe4⤵
- Executes dropped EXE
PID:4376
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "FreeSpacer626.exe" /f & erase "C:\Program Files (x86)\FreeSpacer626\FreeSpacer626.exe" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "FreeSpacer626.exe" /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5fe1c841380bbb84ac8c088e938e18927
SHA104efcb0482b7035c1c31f6f209726f10200239b5
SHA25637b710b42007392ffe234f81199f44c3f8edfeb0cbf0963d6b2c53b9e243e06c
SHA5128415a6b7276d477ee5cc133b0d1e03a838bb2e4564e1f5b3a317658d843b38f0031c58d7a53c728f13ee1ea014b6da06a226bcbe9a633e63325314c0f9fc54cb
-
Filesize
3.5MB
MD5fe1c841380bbb84ac8c088e938e18927
SHA104efcb0482b7035c1c31f6f209726f10200239b5
SHA25637b710b42007392ffe234f81199f44c3f8edfeb0cbf0963d6b2c53b9e243e06c
SHA5128415a6b7276d477ee5cc133b0d1e03a838bb2e4564e1f5b3a317658d843b38f0031c58d7a53c728f13ee1ea014b6da06a226bcbe9a633e63325314c0f9fc54cb
-
Filesize
4KB
MD5ce494d2d223aed950fea67f657d3fa3e
SHA197a19c02487c41e3a079cd6764afffeb5e838b26
SHA256c8fa111c5b9537e3b6cab9ba763e164e27fa469f2232b82a54b206a7d892b9e9
SHA512687bf3bd7de28dc45ea622672dc59d7e45d9ce83530a7db6462447ea247a9bde061738c454e09b48531aab9cce802c8491aa730e4da65e63daf31c65ffc39fe1
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.2MB
MD525d799a5f8e9b2c0f55a6f1544eea332
SHA15bb75efea4dc5e878f261daa08abbe23de85bd42
SHA256dd9a41bad124de9e2c50ec4aa7361b2388702d62e97b904afc9c0cbff3608517
SHA51203a5ee8aab70bceecc95dd36b7d867cd11d7adf6ce025b841f6e93f42fd1ddd01fde75f4998c5dfa3450268f03c29bdb02f568409f01484f8f4873f71d928b88
-
Filesize
1.2MB
MD525d799a5f8e9b2c0f55a6f1544eea332
SHA15bb75efea4dc5e878f261daa08abbe23de85bd42
SHA256dd9a41bad124de9e2c50ec4aa7361b2388702d62e97b904afc9c0cbff3608517
SHA51203a5ee8aab70bceecc95dd36b7d867cd11d7adf6ce025b841f6e93f42fd1ddd01fde75f4998c5dfa3450268f03c29bdb02f568409f01484f8f4873f71d928b88
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
72KB
MD53fb36cb0b7172e5298d2992d42984d06
SHA1439827777df4a337cbb9fa4a4640d0d3fa1738b7
SHA25627ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6
SHA5126b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c
-
Filesize
72KB
MD53fb36cb0b7172e5298d2992d42984d06
SHA1439827777df4a337cbb9fa4a4640d0d3fa1738b7
SHA25627ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6
SHA5126b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c