Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
-
Size
311KB
-
MD5
072808f550a495b45920fa2f0f239d3e
-
SHA1
72c07f574b55f5da5d8bea8d1c87e024e5925f15
-
SHA256
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9
-
SHA512
1cbb966a3216c8968fbd58ebecdd2d55dec2567cd8d89857acd618c0d6c128c61d5edb93e7518766ea3166c8e47ecb6920360c06d37e0d1de825dd2fb16445f7
-
SSDEEP
3072:WOhBfC8R+bIlGXY+XKdK1QUdLUUDO3bvd+A+kYiTmxtViZmmJVjkKbzGbIXyrN9H:L8pdoxiskxe4KW+qN9Xi
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.115
Signatures
-
Deletes itself 1 IoCs
pid Process 2012 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2604 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2604 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1084 wrote to memory of 2012 1084 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 28 PID 1084 wrote to memory of 2012 1084 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 28 PID 1084 wrote to memory of 2012 1084 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 28 PID 1084 wrote to memory of 2012 1084 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 28 PID 2012 wrote to memory of 2604 2012 cmd.exe 30 PID 2012 wrote to memory of 2604 2012 cmd.exe 30 PID 2012 wrote to memory of 2604 2012 cmd.exe 30 PID 2012 wrote to memory of 2604 2012 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-