Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-05-2024 22:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe
Resource
win10v2004-20240426-en
7 signatures
150 seconds
General
-
Target
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe
-
Size
290KB
-
MD5
5a5782420d295aacba10961b556abce9
-
SHA1
1efdc423b091a4f01b34918420f1fce8056362f6
-
SHA256
417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb
-
SHA512
1ff02f2c0ae3348a776eb41a38a4778f730a6f769b0a6bc6208dd63cdf8783c601dbe4316b8e7d92044762273b6cbfd9652937fdea8debb19a55dc967ee1150a
-
SSDEEP
3072:DKAh0X2ibXucFZ8YVLrvHvaWB/mq6mdVoM9DQ+Rob7JEzI5R3qhkFTr:rObXu2VL7HruqfbQ+m7JbahWn
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Attributes
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 3144 4220 WerFault.exe 79 3400 4220 WerFault.exe 79 2356 4220 WerFault.exe 79 2436 4220 WerFault.exe 79 2028 4220 WerFault.exe 79 3748 4220 WerFault.exe 79 280 4220 WerFault.exe 79 2724 4220 WerFault.exe 79 428 4220 WerFault.exe 79 2872 4220 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
pid Process 3304 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3304 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4220 wrote to memory of 3116 4220 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 99 PID 4220 wrote to memory of 3116 4220 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 99 PID 4220 wrote to memory of 3116 4220 417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe 99 PID 3116 wrote to memory of 3304 3116 cmd.exe 102 PID 3116 wrote to memory of 3304 3116 cmd.exe 102 PID 3116 wrote to memory of 3304 3116 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe"C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 7722⤵
- Program crash
PID:3144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 8162⤵
- Program crash
PID:3400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 7722⤵
- Program crash
PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 8642⤵
- Program crash
PID:2436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 9762⤵
- Program crash
PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 9842⤵
- Program crash
PID:3748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 12322⤵
- Program crash
PID:280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 14522⤵
- Program crash
PID:2724
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "417d5ddfe8813236a773c957e9e03245bae6d32ec89d5d88c51926f05cb404bb.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 13682⤵
- Program crash
PID:428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 14162⤵
- Program crash
PID:2872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4220 -ip 42201⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4220 -ip 42201⤵PID:252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4220 -ip 42201⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4220 -ip 42201⤵PID:488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4220 -ip 42201⤵PID:2252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4220 -ip 42201⤵PID:5032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4220 -ip 42201⤵PID:2512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4220 -ip 42201⤵PID:4456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4220 -ip 42201⤵PID:2920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4220 -ip 42201⤵PID:2536