Analysis
-
max time kernel
140s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 17:24 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b6e4dc4fd0cc50fbb1236fe1108b886d.exe
Resource
win7-20240215-en
General
-
Target
b6e4dc4fd0cc50fbb1236fe1108b886d.exe
-
Size
342KB
-
MD5
b6e4dc4fd0cc50fbb1236fe1108b886d
-
SHA1
ca17fc4111dbc08551aabe0e890c337448a19eda
-
SHA256
114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8
-
SHA512
eaebb7b46714e2e15fd604383f5c7bb092c7f2669edf1c462544aeb3a11a38b8feacdfae7b78fe6cc0b96c6764909dad7e249c0d31320a26c5df1fa1c911dfbb
-
SSDEEP
3072:FGSlqrvGown4AMsIqQk+ooNKeDe0T+ZvcXwR+YKZfwmuF5GZ4WDm/5O5XP0hd5A/:FanwpoNfe0Tb0aBwmuWaWa/5ORMAQOo
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b6e4dc4fd0cc50fbb1236fe1108b886d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 2200 2548 WerFault.exe 88 2556 2548 WerFault.exe 88 1808 2548 WerFault.exe 88 224 2548 WerFault.exe 88 4632 2548 WerFault.exe 88 1520 2548 WerFault.exe 88 180 2548 WerFault.exe 88 4156 2548 WerFault.exe 88 -
Kills process with taskkill 1 IoCs
pid Process 892 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 892 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2548 wrote to memory of 3060 2548 b6e4dc4fd0cc50fbb1236fe1108b886d.exe 115 PID 2548 wrote to memory of 3060 2548 b6e4dc4fd0cc50fbb1236fe1108b886d.exe 115 PID 2548 wrote to memory of 3060 2548 b6e4dc4fd0cc50fbb1236fe1108b886d.exe 115 PID 3060 wrote to memory of 892 3060 cmd.exe 117 PID 3060 wrote to memory of 892 3060 cmd.exe 117 PID 3060 wrote to memory of 892 3060 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe"C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 7442⤵
- Program crash
PID:2200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 7642⤵
- Program crash
PID:2556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 7442⤵
- Program crash
PID:1808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 8162⤵
- Program crash
PID:224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 9042⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 9802⤵
- Program crash
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 10322⤵
- Program crash
PID:180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 13642⤵
- Program crash
PID:4156
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "b6e4dc4fd0cc50fbb1236fe1108b886d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "b6e4dc4fd0cc50fbb1236fe1108b886d.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2548 -ip 25481⤵PID:4456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2548 -ip 25481⤵PID:1616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2548 -ip 25481⤵PID:1652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2548 -ip 25481⤵PID:4948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2548 -ip 25481⤵PID:2716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2548 -ip 25481⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2548 -ip 25481⤵PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2548 -ip 25481⤵PID:2192
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.197.17.2.in-addr.arpaIN PTRResponse240.197.17.2.in-addr.arpaIN PTRa2-17-197-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request24.139.73.23.in-addr.arpaIN PTRResponse24.139.73.23.in-addr.arpaIN PTRa23-73-139-24deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=one&s=two HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
User-Agent: 1
Host: 185.172.128.90
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request90.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN AResponsechromewebstore.googleapis.comIN A142.250.178.10chromewebstore.googleapis.comIN A172.217.16.234chromewebstore.googleapis.comIN A142.250.200.10chromewebstore.googleapis.comIN A142.250.200.42chromewebstore.googleapis.comIN A216.58.201.106chromewebstore.googleapis.comIN A216.58.204.74chromewebstore.googleapis.comIN A172.217.169.10chromewebstore.googleapis.comIN A216.58.212.202chromewebstore.googleapis.comIN A216.58.212.234chromewebstore.googleapis.comIN A172.217.169.42chromewebstore.googleapis.comIN A142.250.179.234chromewebstore.googleapis.comIN A142.250.180.10chromewebstore.googleapis.comIN A142.250.187.202chromewebstore.googleapis.comIN A142.250.187.234
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN UnknownResponse
-
Remote address:8.8.8.8:53Request10.178.250.142.in-addr.arpaIN PTRResponse10.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f101e100net
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request3.173.189.20.in-addr.arpaIN PTRResponse
-
185.172.128.90:80http://185.172.128.90/cpa/ping.php?substr=one&s=twohttpb6e4dc4fd0cc50fbb1236fe1108b886d.exe687 B 376 B 6 4
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=one&s=twoHTTP Response
200 -
2.0kB 8.0kB 17 18
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
240.197.17.2.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
24.139.73.23.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 73 B 1 1
DNS Request
90.128.172.185.in-addr.arpa
-
75 B 299 B 1 1
DNS Request
chromewebstore.googleapis.com
DNS Response
142.250.178.10172.217.16.234142.250.200.10142.250.200.42216.58.201.106216.58.204.74172.217.169.10216.58.212.202216.58.212.234172.217.169.42142.250.179.234142.250.180.10142.250.187.202142.250.187.234
-
75 B 132 B 1 1
DNS Request
chromewebstore.googleapis.com
-
73 B 112 B 1 1
DNS Request
10.178.250.142.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
3.173.189.20.in-addr.arpa