Analysis
-
max time kernel
106s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-04-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe
Resource
win10v2004-20240412-en
General
-
Target
dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe
-
Size
342KB
-
MD5
1015a2305b0adea85884b4bbfc8dc60c
-
SHA1
614582da2106876204477323f23a1e7358c8e52a
-
SHA256
dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727
-
SHA512
be5a24ead38b911a7eb351f0888547be5fcc03c1305ff19a8e8b8bc541cb2687f0ca61d86582f676a2b2226e4a98789f4d933ceefa674286a03782de3cd82152
-
SSDEEP
3072:08RRRU+pEImRqbP+bXJZXVyZYnljTMB9Trxk6X89vgrEkaxb9aBqXiQgtKb4i9cp:S+pmg4LsZYlkrp894ekB9QEac
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1920 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 5064 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 2800 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 3048 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 3880 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 4476 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 2284 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe 1500 4864 WerFault.exe dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1892 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1892 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.execmd.exedescription pid process target process PID 4864 wrote to memory of 2596 4864 dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe cmd.exe PID 4864 wrote to memory of 2596 4864 dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe cmd.exe PID 4864 wrote to memory of 2596 4864 dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe cmd.exe PID 2596 wrote to memory of 1892 2596 cmd.exe taskkill.exe PID 2596 wrote to memory of 1892 2596 cmd.exe taskkill.exe PID 2596 wrote to memory of 1892 2596 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe"C:\Users\Admin\AppData\Local\Temp\dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 7922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 8642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 9522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 10602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 14402⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dd96d35980d9732015b28182dcbf9b57457ef564b37ffa38f49f63cf425a9727.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 14602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4864 -ip 48641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 48641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4864-1-0x00000000041B0000-0x00000000042B0000-memory.dmpFilesize
1024KB
-
memory/4864-2-0x00000000045C0000-0x00000000045ED000-memory.dmpFilesize
180KB
-
memory/4864-4-0x0000000000400000-0x0000000004049000-memory.dmpFilesize
60.3MB
-
memory/4864-5-0x00000000045C0000-0x00000000045ED000-memory.dmpFilesize
180KB