Analysis
-
max time kernel
145s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
Resource
win7-20240221-en
General
-
Target
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe
-
Size
311KB
-
MD5
072808f550a495b45920fa2f0f239d3e
-
SHA1
72c07f574b55f5da5d8bea8d1c87e024e5925f15
-
SHA256
99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9
-
SHA512
1cbb966a3216c8968fbd58ebecdd2d55dec2567cd8d89857acd618c0d6c128c61d5edb93e7518766ea3166c8e47ecb6920360c06d37e0d1de825dd2fb16445f7
-
SSDEEP
3072:WOhBfC8R+bIlGXY+XKdK1QUdLUUDO3bvd+A+kYiTmxtViZmmJVjkKbzGbIXyrN9H:L8pdoxiskxe4KW+qN9Xi
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.115
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 4952 1708 WerFault.exe 84 1348 1708 WerFault.exe 84 1736 1708 WerFault.exe 84 3500 1708 WerFault.exe 84 4828 1708 WerFault.exe 84 3380 1708 WerFault.exe 84 2544 1708 WerFault.exe 84 1360 1708 WerFault.exe 84 3396 1708 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 1636 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1636 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1708 wrote to memory of 852 1708 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 114 PID 1708 wrote to memory of 852 1708 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 114 PID 1708 wrote to memory of 852 1708 99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe 114 PID 852 wrote to memory of 1636 852 cmd.exe 117 PID 852 wrote to memory of 1636 852 cmd.exe 117 PID 852 wrote to memory of 1636 852 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 7482⤵
- Program crash
PID:4952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 7602⤵
- Program crash
PID:1348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 7842⤵
- Program crash
PID:1736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 7922⤵
- Program crash
PID:3500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 8122⤵
- Program crash
PID:4828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 9362⤵
- Program crash
PID:3380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 10042⤵
- Program crash
PID:2544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 13522⤵
- Program crash
PID:1360
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "99d42ee02b2d43170796ccb36e5f05318a713fbbb2b48067024a555a58a57dc9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 14482⤵
- Program crash
PID:3396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1708 -ip 17081⤵PID:1316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 17081⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1708 -ip 17081⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1708 -ip 17081⤵PID:4944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 17081⤵PID:3788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1708 -ip 17081⤵PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1708 -ip 17081⤵PID:4644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1708 -ip 17081⤵PID:1884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1708 -ip 17081⤵PID:3968