Analysis
-
max time kernel
129s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 12:18
Static task
static1
Behavioral task
behavioral1
Sample
16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe
Resource
win10v2004-20240419-en
General
-
Target
16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe
-
Size
300KB
-
MD5
8f95828ed2d935d8bdf5a89a766584cb
-
SHA1
cbe3852fdf629aa206e2150c6436d35adec77d3a
-
SHA256
16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399
-
SHA512
d9beb9e9539cbbdae97202a80febe807a57c965d2065e1cb5e5bc94cff67cd7307b71ccc7f6471baa8488a61b48b3263acb79b8ceaa6bac7cb5df4668948c8db
-
SSDEEP
3072:/2j6aBFkY9RpxeXFwtVqFt8+dGQhSW4vMqaMW+2AlWk0E+L2xyG69ekkbnoQwbMW:/29qa4t8rG5qrWnAl6JG68noQSMnV6a
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 776 3040 WerFault.exe 83 2200 3040 WerFault.exe 83 3592 3040 WerFault.exe 83 2012 3040 WerFault.exe 83 3740 3040 WerFault.exe 83 3572 3040 WerFault.exe 83 3196 3040 WerFault.exe 83 4168 3040 WerFault.exe 83 1744 3040 WerFault.exe 83 -
Kills process with taskkill 1 IoCs
pid Process 3036 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3036 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3040 wrote to memory of 4940 3040 16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe 111 PID 3040 wrote to memory of 4940 3040 16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe 111 PID 3040 wrote to memory of 4940 3040 16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe 111 PID 4940 wrote to memory of 3036 4940 cmd.exe 115 PID 4940 wrote to memory of 3036 4940 cmd.exe 115 PID 4940 wrote to memory of 3036 4940 cmd.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe"C:\Users\Admin\AppData\Local\Temp\16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 7402⤵
- Program crash
PID:776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 7482⤵
- Program crash
PID:2200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 7482⤵
- Program crash
PID:3592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 7602⤵
- Program crash
PID:2012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 8922⤵
- Program crash
PID:3740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 9602⤵
- Program crash
PID:3572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 10202⤵
- Program crash
PID:3196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 13482⤵
- Program crash
PID:4168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "16ad075def11aacc92cf7eb9a1541c6472e3b7276ad9c5e1e182659d688ac399.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 12602⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3040 -ip 30401⤵PID:1824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3040 -ip 30401⤵PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3040 -ip 30401⤵PID:3920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 30401⤵PID:2872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3040 -ip 30401⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3040 -ip 30401⤵PID:3032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3040 -ip 30401⤵PID:3344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3040 -ip 30401⤵PID:1892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3040 -ip 30401⤵PID:2100