Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
02/07/2023, 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d257873ee0ae75c9b89bd340e3e3da6.exe
Resource
win7-20230621-en
6 signatures
150 seconds
General
-
Target
2d257873ee0ae75c9b89bd340e3e3da6.exe
-
Size
362KB
-
MD5
2d257873ee0ae75c9b89bd340e3e3da6
-
SHA1
9dd9080df32b375f39df6470136a5bb107829eba
-
SHA256
f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
-
SHA512
e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
SSDEEP
3072:aYCP40soI6S4OjdPhhFZzWUE6itRd8iEmP7WLig/ZT4rNXeCLshvYJREGKm3aGjR:g4V6IV7ErRlEakMJXbsqQjmKJuF25V8
Malware Config
Extracted
Family
gcleaner
C2
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Deletes itself 1 IoCs
pid Process 1176 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 1008 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1008 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1176 2032 2d257873ee0ae75c9b89bd340e3e3da6.exe 30 PID 2032 wrote to memory of 1176 2032 2d257873ee0ae75c9b89bd340e3e3da6.exe 30 PID 2032 wrote to memory of 1176 2032 2d257873ee0ae75c9b89bd340e3e3da6.exe 30 PID 2032 wrote to memory of 1176 2032 2d257873ee0ae75c9b89bd340e3e3da6.exe 30 PID 1176 wrote to memory of 1008 1176 cmd.exe 32 PID 1176 wrote to memory of 1008 1176 cmd.exe 32 PID 1176 wrote to memory of 1008 1176 cmd.exe 32 PID 1176 wrote to memory of 1008 1176 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d257873ee0ae75c9b89bd340e3e3da6.exe"C:\Users\Admin\AppData\Local\Temp\2d257873ee0ae75c9b89bd340e3e3da6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2d257873ee0ae75c9b89bd340e3e3da6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2d257873ee0ae75c9b89bd340e3e3da6.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2d257873ee0ae75c9b89bd340e3e3da6.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-