Analysis
-
max time kernel
190s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
06-05-2024 05:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe
Resource
win7-20240220-en
6 signatures
300 seconds
General
-
Target
7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe
-
Size
283KB
-
MD5
062be021b0337e2f22ca9d8d489b36c9
-
SHA1
c6fc350e0cc212a820e53a5edfa27293c533d2ad
-
SHA256
7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9
-
SHA512
b31eaa451f247ba65a7ac59bd5fc86e1b6eda36a32b06a46ddf4c5738f382fd773829889a34e46de751bd8d2281dd45b348ddad38eb337d6aed68ff2e3c1fb6b
-
SSDEEP
3072:WZen08ICS6qlZk2CcoyZ/bwsvJD4TswKYOlPFPwc4Mg8lhtG5jgdKOnc:30BkNc7/Uud4TJalP1bgg0gdK
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Attributes
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 2128 3272 WerFault.exe 71 2964 3272 WerFault.exe 71 5076 3272 WerFault.exe 71 840 3272 WerFault.exe 71 1524 3272 WerFault.exe 71 3360 3272 WerFault.exe 71 4660 3272 WerFault.exe 71 3512 3272 WerFault.exe 71 -
Kills process with taskkill 1 IoCs
pid Process 2276 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2276 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3272 wrote to memory of 4556 3272 7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe 81 PID 3272 wrote to memory of 4556 3272 7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe 81 PID 3272 wrote to memory of 4556 3272 7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe 81 PID 4556 wrote to memory of 2276 4556 cmd.exe 83 PID 4556 wrote to memory of 2276 4556 cmd.exe 83 PID 4556 wrote to memory of 2276 4556 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe"C:\Users\Admin\AppData\Local\Temp\7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 7642⤵
- Program crash
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 8242⤵
- Program crash
PID:2964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 8442⤵
- Program crash
PID:5076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 9482⤵
- Program crash
PID:840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 9722⤵
- Program crash
PID:1524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 11162⤵
- Program crash
PID:3360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 11802⤵
- Program crash
PID:4660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 12722⤵
- Program crash
PID:3512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "7e2184182ec32918ec7ca20fa529bf7f935a9a5cb3f785886fb5aef485bbd2f9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-