Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe
Resource
win7-20240215-en
General
-
Target
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe
-
Size
263KB
-
MD5
14ad3dad94f1918960c75a5da4c58a83
-
SHA1
a072231bd9202dd3b34c0f3c5402fec5ca373a27
-
SHA256
aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda
-
SHA512
9ca297a6d3568e5dfa0f153d1d47203e0bd9cf346b5eec0dd0d2cafe0d8c620212feac8bd46fb672d02879cddab6d56839092b36ee3ac8dc3b20e7c1f9d32ceb
-
SSDEEP
3072:HJeIexKZfZOgiAOEVmPcbq15/fOhfTw+N08hetrR8Umdu0SPr91u368:Hg+ZfZt5OEE59L8h1Nwxbu3P
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.115
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 1256 2228 WerFault.exe 91 1548 2228 WerFault.exe 91 1036 2228 WerFault.exe 91 1148 2228 WerFault.exe 91 1908 2228 WerFault.exe 91 4208 2228 WerFault.exe 91 2144 2228 WerFault.exe 91 3384 2228 WerFault.exe 91 -
Kills process with taskkill 1 IoCs
pid Process 736 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 736 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2228 wrote to memory of 4464 2228 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 117 PID 2228 wrote to memory of 4464 2228 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 117 PID 2228 wrote to memory of 4464 2228 aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe 117 PID 4464 wrote to memory of 736 4464 cmd.exe 121 PID 4464 wrote to memory of 736 4464 cmd.exe 121 PID 4464 wrote to memory of 736 4464 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe"C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 7482⤵
- Program crash
PID:1256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 7802⤵
- Program crash
PID:1548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 8002⤵
- Program crash
PID:1036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 8362⤵
- Program crash
PID:1148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 9082⤵
- Program crash
PID:1908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 9922⤵
- Program crash
PID:4208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 13442⤵
- Program crash
PID:2144
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "aa28923b864f555f4205239373060101ab1db7b72d9a301852bee00451c7ebda.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 13682⤵
- Program crash
PID:3384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2228 -ip 22281⤵PID:3848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2228 -ip 22281⤵PID:2088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2228 -ip 22281⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2228 -ip 22281⤵PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2228 -ip 22281⤵PID:3140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2228 -ip 22281⤵PID:1540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:1016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2228 -ip 22281⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2228 -ip 22281⤵PID:3112