Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe
-
Size
294KB
-
MD5
54935c8ce5efca8a4589caa0d3e9258f
-
SHA1
b0eb42a85371e15ef92020c37406f59e786a503d
-
SHA256
3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9
-
SHA512
3fb388b769a5cae21a035ae999e5d190d941c4a146cf77e5481a5ea8337b8e1a0259a206ad04d1a902842412584825db5d2fbd7c9425fcc855581e294b7d26bc
-
SSDEEP
3072:CX8L3hvoXS+bakYZXhJ1KcRvPHiiKXU57jdPWfd9Drt67JUPFk+Hc/vyK1nhlXWl:CsvYSo6r1xIiKkLixP+qIyK1nfXy5IB
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2568 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2568 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2612 2096 3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe 28 PID 2096 wrote to memory of 2612 2096 3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe 28 PID 2096 wrote to memory of 2612 2096 3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe 28 PID 2096 wrote to memory of 2612 2096 3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe 28 PID 2612 wrote to memory of 2568 2612 cmd.exe 30 PID 2612 wrote to memory of 2568 2612 cmd.exe 30 PID 2612 wrote to memory of 2568 2612 cmd.exe 30 PID 2612 wrote to memory of 2568 2612 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe"C:\Users\Admin\AppData\Local\Temp\3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "3c187ba3a074078ac5edd0382992f66e784eb26faff2fbd55b97b1d0b0740ae9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-