Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230705-en -
resource tags
arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system -
submitted
07/07/2023, 03:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe
Resource
win7-20230705-en
6 signatures
300 seconds
General
-
Target
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe
-
Size
304KB
-
MD5
b59c8093621b9d5b5ad1905fab5aee00
-
SHA1
e36627f6faaee192a2ab8f4d6e7ccad03409e306
-
SHA256
589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e
-
SHA512
8e6ded0e24a587bd10c91ca62dd52e0f0418207484a32c407ce625c6e3af7d0963dc728caeec153c79a94e6be07d4bd4edd8c3bb4e4e6ed20fab5d4a84e8bc72
-
SSDEEP
6144:i083LPjsNIaUNNsEdX/k5+qgRxx4xwdmJLaTZoA:N837js+bjX4SD4i0KKA
Malware Config
Extracted
Family
gcleaner
C2
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
Deletes itself 1 IoCs
pid Process 992 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2932 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2932 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2144 wrote to memory of 992 2144 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe 28 PID 2144 wrote to memory of 992 2144 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe 28 PID 2144 wrote to memory of 992 2144 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe 28 PID 2144 wrote to memory of 992 2144 589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe 28 PID 992 wrote to memory of 2932 992 cmd.exe 30 PID 992 wrote to memory of 2932 992 cmd.exe 30 PID 992 wrote to memory of 2932 992 cmd.exe 30 PID 992 wrote to memory of 2932 992 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe"C:\Users\Admin\AppData\Local\Temp\589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "589f9841822ba66abe4cf94fc3f104307d13014de6d3ed4bc507873fe0653e2e.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-