Analysis
-
max time kernel
131s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 21:49
Static task
static1
Behavioral task
behavioral1
Sample
67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe
Resource
win10v2004-20240419-en
General
-
Target
67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe
-
Size
290KB
-
MD5
4a98c98639bf8752ecdb38f1295fd605
-
SHA1
1b5aaa8e6c1c803876a267847c01b01af40810ad
-
SHA256
67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625
-
SHA512
3c1baec7d984bf9415c0c28737089f70c5d56d475f342117c517b1cb093a5715f17a103d9ec3968c84bd7709e4c8690405b30d179d57c438afc805ef1805b71f
-
SSDEEP
3072:OwV9Vhy0ynOFavDbRpk0HGIh3tPgUdonGO2r5JV1hkFTr:d/00ynYiRnHGIh3LdonGv3zhWn
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 1356 4652 WerFault.exe 84 1420 4652 WerFault.exe 84 1568 4652 WerFault.exe 84 2300 4652 WerFault.exe 84 1488 4652 WerFault.exe 84 4360 4652 WerFault.exe 84 5080 4652 WerFault.exe 84 4644 4652 WerFault.exe 84 4308 4652 WerFault.exe 84 4016 4652 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 1152 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1152 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4652 wrote to memory of 2924 4652 67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe 114 PID 4652 wrote to memory of 2924 4652 67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe 114 PID 4652 wrote to memory of 2924 4652 67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe 114 PID 2924 wrote to memory of 1152 2924 cmd.exe 118 PID 2924 wrote to memory of 1152 2924 cmd.exe 118 PID 2924 wrote to memory of 1152 2924 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe"C:\Users\Admin\AppData\Local\Temp\67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 7402⤵
- Program crash
PID:1356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 7602⤵
- Program crash
PID:1420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 7522⤵
- Program crash
PID:1568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 8322⤵
- Program crash
PID:2300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 9042⤵
- Program crash
PID:1488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 9802⤵
- Program crash
PID:4360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 10202⤵
- Program crash
PID:5080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 13402⤵
- Program crash
PID:4644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "67f112447b9495c7626de367e380882be8fe2280773f7716cf4fcc73fe0f6625.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 12762⤵
- Program crash
PID:4308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 14242⤵
- Program crash
PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4652 -ip 46521⤵PID:2652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4652 -ip 46521⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4652 -ip 46521⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4652 -ip 46521⤵PID:3160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4652 -ip 46521⤵PID:2332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4652 -ip 46521⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4652 -ip 46521⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4652 -ip 46521⤵PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4652 -ip 46521⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4652 -ip 46521⤵PID:4700