Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe
Resource
win10v2004-20240426-en
General
-
Target
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe
-
Size
290KB
-
MD5
5a5782420d295aacba10961b556abce9
-
SHA1
1efdc423b091a4f01b34918420f1fce8056362f6
-
SHA256
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb
-
SHA512
1ff02f2c0ae3348a776eb41a38a4778f730a6f769b0a6bc6208dd63cdf8783c601dbe4316b8e7d92044762273b6cbfd9652937fdea8debb19a55dc967ee1150a
-
SSDEEP
3072:DKAh0X2ibXucFZ8YVLrvHvaWB/mq6mdVoM9DQ+Rob7JEzI5R3qhkFTr:rObXu2VL7HruqfbQ+m7JbahWn
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 4584 1276 WerFault.exe 81 3440 1276 WerFault.exe 81 4868 1276 WerFault.exe 81 3696 1276 WerFault.exe 81 804 1276 WerFault.exe 81 60 1276 WerFault.exe 81 1380 1276 WerFault.exe 81 4580 1276 WerFault.exe 81 2572 1276 WerFault.exe 81 2828 1276 WerFault.exe 81 -
Kills process with taskkill 1 IoCs
pid Process 4736 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4736 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1276 wrote to memory of 1632 1276 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 110 PID 1276 wrote to memory of 1632 1276 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 110 PID 1276 wrote to memory of 1632 1276 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 110 PID 1632 wrote to memory of 4736 1632 cmd.exe 114 PID 1632 wrote to memory of 4736 1632 cmd.exe 114 PID 1632 wrote to memory of 4736 1632 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe"C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7402⤵
- Program crash
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7602⤵
- Program crash
PID:3440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7922⤵
- Program crash
PID:4868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 8362⤵
- Program crash
PID:3696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 8242⤵
- Program crash
PID:804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 9162⤵
- Program crash
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 8042⤵
- Program crash
PID:1380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 11602⤵
- Program crash
PID:4580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 13162⤵
- Program crash
PID:2572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 13882⤵
- Program crash
PID:2828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1276 -ip 12761⤵PID:1896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1276 -ip 12761⤵PID:116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1276 -ip 12761⤵PID:4640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1276 -ip 12761⤵PID:3320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1276 -ip 12761⤵PID:4524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1276 -ip 12761⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1276 -ip 12761⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1276 -ip 12761⤵PID:1120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1276 -ip 12761⤵PID:3348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1276 -ip 12761⤵PID:4072