Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe
Resource
win7-20240319-en
6 signatures
150 seconds
General
-
Target
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe
-
Size
311KB
-
MD5
9544821ed3db4db3c54f0d795bbc1ab6
-
SHA1
3dd2d16955d4e6db85051e9f368407a9d9b6870e
-
SHA256
151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a
-
SHA512
949cdade7a42a649f9daa2fd2940bf01c5bb4670e1bb3e7773fa76872da0ea1858009d6ee0f479638e8f3ee178d86d61b4750f61f768fdc0914f0994e68f6304
-
SSDEEP
6144:7f4ZKa9IPz9hmiXK8+JjdYX+VpU/UB9Xi:r4gKIPz7mid+Jj6X+YcL
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.115
Signatures
-
Deletes itself 1 IoCs
pid Process 2628 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2280 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2280 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2628 2968 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2968 wrote to memory of 2628 2968 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2968 wrote to memory of 2628 2968 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2968 wrote to memory of 2628 2968 151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe 28 PID 2628 wrote to memory of 2280 2628 cmd.exe 30 PID 2628 wrote to memory of 2280 2628 cmd.exe 30 PID 2628 wrote to memory of 2280 2628 cmd.exe 30 PID 2628 wrote to memory of 2280 2628 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe"C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "151ef2d3caa9606e6aa1531750361b3e413433c1f884f4d700304f1c6501978a.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-