Analysis
-
max time kernel
91s -
max time network
100s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-04-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe
Resource
win10v2004-20240226-en
General
-
Target
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe
-
Size
293KB
-
MD5
3fa7d706bc454825143f16e01ac3a1bb
-
SHA1
96ddd3ca9af68c938de16ac55fd286a7cf44e782
-
SHA256
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64
-
SHA512
d4d349b3f40535e79997c3ec18caa202164e26ff167aa85b81d52ea805a8804a450209c5cae6495a4518fe761ef5a6278ecf53c88c83155c1c61cee101afea8d
-
SSDEEP
3072:mLjEvw617PwTBXWjFGT4YpBiF+6J4zTBJ3a2mGYiv05ZxKauhEh:T17aBGjFg4YpBiF+6yzDK1ioxKauQ
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2052 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 4112 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 1520 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 3456 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 3196 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 2760 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 1588 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe 4360 8 WerFault.exe ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1100 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1100 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.execmd.exedescription pid process target process PID 8 wrote to memory of 1324 8 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 8 wrote to memory of 1324 8 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 8 wrote to memory of 1324 8 ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe cmd.exe PID 1324 wrote to memory of 1100 1324 cmd.exe taskkill.exe PID 1324 wrote to memory of 1100 1324 cmd.exe taskkill.exe PID 1324 wrote to memory of 1100 1324 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe"C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 8442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 9562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 14202⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ef0dda851eccd4bdd9311d9299a679639299683ec4e6741ff0ce2b0366108d64.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 14962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8 -ip 81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/8-1-0x0000000000B90000-0x0000000000C90000-memory.dmpFilesize
1024KB
-
memory/8-2-0x00000000026B0000-0x00000000026DD000-memory.dmpFilesize
180KB
-
memory/8-3-0x0000000000400000-0x000000000084A000-memory.dmpFilesize
4.3MB
-
memory/8-5-0x0000000000400000-0x000000000084A000-memory.dmpFilesize
4.3MB
-
memory/8-6-0x00000000026B0000-0x00000000026DD000-memory.dmpFilesize
180KB