Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
Resource
win7-20240221-en
General
-
Target
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
-
Size
311KB
-
MD5
072808f550a495b45920fa2f0f239d3e
-
SHA1
72c07f574b55f5da5d8bea8d1c87e024e5925f15
-
SHA256
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9
-
SHA512
1cbb966a3216c8968fbd58ebecdd2d55dec2567cd8d89857acd618c0d6c128c61d5edb93e7518766ea3166c8e47ecb6920360c06d37e0d1de825dd2fb16445f7
-
SSDEEP
3072:WOhBfC8R+bIlGXY+XKdK1QUdLUUDO3bvd+A+kYiTmxtViZmmJVjkKbzGbIXyrN9H:L8pdoxiskxe4KW+qN9Xi
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.115
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 4568 2840 WerFault.exe 84 4276 2840 WerFault.exe 84 2520 2840 WerFault.exe 84 1228 2840 WerFault.exe 84 3320 2840 WerFault.exe 84 4904 2840 WerFault.exe 84 4532 2840 WerFault.exe 84 404 2840 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 4628 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4628 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2840 wrote to memory of 3948 2840 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 108 PID 2840 wrote to memory of 3948 2840 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 108 PID 2840 wrote to memory of 3948 2840 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 108 PID 3948 wrote to memory of 4628 3948 cmd.exe 112 PID 3948 wrote to memory of 4628 3948 cmd.exe 112 PID 3948 wrote to memory of 4628 3948 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 7402⤵
- Program crash
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 7482⤵
- Program crash
PID:4276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 7922⤵
- Program crash
PID:2520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 7562⤵
- Program crash
PID:1228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 9042⤵
- Program crash
PID:3320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 9762⤵
- Program crash
PID:4904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 13442⤵
- Program crash
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 13642⤵
- Program crash
PID:404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2840 -ip 28401⤵PID:4932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2840 -ip 28401⤵PID:4492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2840 -ip 28401⤵PID:2164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2840 -ip 28401⤵PID:1012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2840 -ip 28401⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2840 -ip 28401⤵PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2840 -ip 28401⤵PID:3476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2840 -ip 28401⤵PID:2452