Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe
Resource
win10v2004-20240226-en
General
-
Target
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe
-
Size
293KB
-
MD5
3fa7d706bc454825143f16e01ac3a1bb
-
SHA1
96ddd3ca9af68c938de16ac55fd286a7cf44e782
-
SHA256
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64
-
SHA512
d4d349b3f40535e79997c3ec18caa202164e26ff167aa85b81d52ea805a8804a450209c5cae6495a4518fe761ef5a6278ecf53c88c83155c1c61cee101afea8d
-
SSDEEP
3072:mLjEvw617PwTBXWjFGT4YpBiF+6J4zTBJ3a2mGYiv05ZxKauhEh:T17aBGjFg4YpBiF+6yzDK1ioxKauQ
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 876 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 4124 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 4644 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 1376 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 4584 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 3648 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 1844 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 1420 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 3848 3484 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3612 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3612 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.execmd.exedescription pid process target process PID 3484 wrote to memory of 1408 3484 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 3484 wrote to memory of 1408 3484 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 3484 wrote to memory of 1408 3484 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 1408 wrote to memory of 3612 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 3612 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 3612 1408 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe"C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 10802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 13362⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 13322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3484 -ip 34841⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3484-1-0x0000000000A30000-0x0000000000B30000-memory.dmpFilesize
1024KB
-
memory/3484-2-0x00000000009F0000-0x0000000000A1D000-memory.dmpFilesize
180KB
-
memory/3484-3-0x0000000000400000-0x000000000084A000-memory.dmpFilesize
4.3MB
-
memory/3484-6-0x0000000000400000-0x000000000084A000-memory.dmpFilesize
4.3MB
-
memory/3484-7-0x00000000009F0000-0x0000000000A1D000-memory.dmpFilesize
180KB