Analysis
-
max time kernel
190s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-05-2024 22:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe
Resource
win7-20240221-en
5 signatures
300 seconds
General
-
Target
c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe
-
Size
353KB
-
MD5
0afacd0776dd2ea8c6974b5733931c30
-
SHA1
f5f3abbfd7130474d3ce9b01a0263b577a7dc39f
-
SHA256
c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5
-
SHA512
c331f3e78fe4f8bf094c17253bd59006c0c63f65824b97ae8dae7c468f719f3181152e7aa537787231de7b3a70a18f428cf673e6d526c5b14fa68d1cc7c9450a
-
SSDEEP
6144:fh6YQY40//H1muVHs14q6BGrnaO9qpjKRqBQe:fhcY40/NRA6Bagp2sx
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Attributes
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 2340 4496 WerFault.exe 72 808 4496 WerFault.exe 72 3252 4496 WerFault.exe 72 3488 4496 WerFault.exe 72 4468 4496 WerFault.exe 72 3344 4496 WerFault.exe 72 4436 4496 WerFault.exe 72 4404 4496 WerFault.exe 72 -
Kills process with taskkill 1 IoCs
pid Process 520 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 520 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3404 4496 c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe 82 PID 4496 wrote to memory of 3404 4496 c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe 82 PID 4496 wrote to memory of 3404 4496 c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe 82 PID 3404 wrote to memory of 520 3404 cmd.exe 84 PID 3404 wrote to memory of 520 3404 cmd.exe 84 PID 3404 wrote to memory of 520 3404 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe"C:\Users\Admin\AppData\Local\Temp\c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 7602⤵
- Program crash
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 8082⤵
- Program crash
PID:808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 7402⤵
- Program crash
PID:3252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 9682⤵
- Program crash
PID:3488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 7482⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 11122⤵
- Program crash
PID:3344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 11762⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 12922⤵
- Program crash
PID:4404
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "c887550a97d682bafb4bfafd001468e269a29a7c12e662e151649831b69bdbd5.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-