Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe
Resource
win10v2004-20240419-en
General
-
Target
0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe
-
Size
301KB
-
MD5
b9b9c5df6cfb4b6e3a78b499393bbe1a
-
SHA1
db25b8cb8aab4feb53bb3d24430715388d8e7c58
-
SHA256
0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a
-
SHA512
7da9c39cf3889a40cfe478046101b1c0a658a07f69277d83afb5f2b5274d9096eb0f2081438e536434e109ad54acb3f0ab1e8601774baae2d87fb62b09a5b94a
-
SSDEEP
6144:UjbJYmJ3nCN7fDrazozRg+5RHU71dVOH6a:UjlYmJ3ClfaoFgqHkdVOH6
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 788 1508 WerFault.exe 83 4372 1508 WerFault.exe 83 3508 1508 WerFault.exe 83 2508 1508 WerFault.exe 83 2684 1508 WerFault.exe 83 2868 1508 WerFault.exe 83 3548 1508 WerFault.exe 83 4864 1508 WerFault.exe 83 228 1508 WerFault.exe 83 -
Kills process with taskkill 1 IoCs
pid Process 3412 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3412 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1508 wrote to memory of 3100 1508 0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe 111 PID 1508 wrote to memory of 3100 1508 0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe 111 PID 1508 wrote to memory of 3100 1508 0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe 111 PID 3100 wrote to memory of 3412 3100 cmd.exe 115 PID 3100 wrote to memory of 3412 3100 cmd.exe 115 PID 3100 wrote to memory of 3412 3100 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe"C:\Users\Admin\AppData\Local\Temp\0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 7402⤵
- Program crash
PID:788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 7482⤵
- Program crash
PID:4372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 7722⤵
- Program crash
PID:3508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 8122⤵
- Program crash
PID:2508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 9082⤵
- Program crash
PID:2684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 9802⤵
- Program crash
PID:2868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 10922⤵
- Program crash
PID:3548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 13482⤵
- Program crash
PID:4864
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "0db8a41ae5df009b2aaae567811b6619847a42f56523667a83efe1e71b82ee1a.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 13682⤵
- Program crash
PID:228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1508 -ip 15081⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1508 -ip 15081⤵PID:1600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1508 -ip 15081⤵PID:3740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1508 -ip 15081⤵PID:4408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1508 -ip 15081⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1508 -ip 15081⤵PID:1684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1508 -ip 15081⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1508 -ip 15081⤵PID:212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1508 -ip 15081⤵PID:1520