Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 19:22
Static task
static1
Behavioral task
behavioral1
Sample
84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe
Resource
win10v2004-20240426-en
General
-
Target
84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe
-
Size
300KB
-
MD5
0bfabdcbb51b7d24864a50c4a29329c7
-
SHA1
07af2d06224237d2d1883fe3664eae0f8a20d93e
-
SHA256
84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce
-
SHA512
8eb1c6db75cbddffd4fa8ee42c18f80a7df20428db70e99f7229f01ad5d720e2d96c2db8fbd714afd1dc023cc786902d75d344ca2ac806f8fb7b4e9974dfbed9
-
SSDEEP
3072:3feGI9UO4MZPn9VvUb+MGQhSWb/RKjP6pbj72kwnrqdgz8ybhG0JLq/qf82yrngK:2PTbvESGvKT6pDeN8KhpJLWrn450rk
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3664 2152 WerFault.exe 84 4584 2152 WerFault.exe 84 1540 2152 WerFault.exe 84 1708 2152 WerFault.exe 84 2900 2152 WerFault.exe 84 2700 2152 WerFault.exe 84 3376 2152 WerFault.exe 84 5000 2152 WerFault.exe 84 3616 2152 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 936 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 936 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2152 wrote to memory of 1656 2152 84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe 109 PID 2152 wrote to memory of 1656 2152 84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe 109 PID 2152 wrote to memory of 1656 2152 84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe 109 PID 1656 wrote to memory of 936 1656 cmd.exe 112 PID 1656 wrote to memory of 936 1656 cmd.exe 112 PID 1656 wrote to memory of 936 1656 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe"C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 7402⤵
- Program crash
PID:3664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 7802⤵
- Program crash
PID:4584
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 8002⤵
- Program crash
PID:1540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 8322⤵
- Program crash
PID:1708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 9242⤵
- Program crash
PID:2900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 7562⤵
- Program crash
PID:2700
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 10442⤵
- Program crash
PID:3376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 13442⤵
- Program crash
PID:5000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 13162⤵
- Program crash
PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2152 -ip 21521⤵PID:2868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2152 -ip 21521⤵PID:1228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2152 -ip 21521⤵PID:2120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2152 -ip 21521⤵PID:4496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2152 -ip 21521⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2152 -ip 21521⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2152 -ip 21521⤵PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2152 -ip 21521⤵PID:676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2152 -ip 21521⤵PID:1972