Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe
Resource
win7-20240215-en
6 signatures
150 seconds
General
-
Target
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe
-
Size
263KB
-
MD5
14ad3dad94f1918960c75a5da4c58a83
-
SHA1
a072231bd9202dd3b34c0f3c5402fec5ca373a27
-
SHA256
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda
-
SHA512
9ca297a6d3568e5dfa0f153d1d47203e0bd9cf346b5eec0dd0d2cafe0d8c620212feac8bd46fb672d02879cddab6d56839092b36ee3ac8dc3b20e7c1f9d32ceb
-
SSDEEP
3072:HJeIexKZfZOgiAOEVmPcbq15/fOhfTw+N08hetrR8Umdu0SPr91u368:Hg+ZfZt5OEE59L8h1Nwxbu3P
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.115
Signatures
-
Deletes itself 1 IoCs
pid Process 2560 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2796 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2796 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2560 2592 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 28 PID 2592 wrote to memory of 2560 2592 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 28 PID 2592 wrote to memory of 2560 2592 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 28 PID 2592 wrote to memory of 2560 2592 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 28 PID 2560 wrote to memory of 2796 2560 cmd.exe 30 PID 2560 wrote to memory of 2796 2560 cmd.exe 30 PID 2560 wrote to memory of 2796 2560 cmd.exe 30 PID 2560 wrote to memory of 2796 2560 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe"C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-