Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe
Resource
win10v2004-20240426-en
General
-
Target
ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe
-
Size
263KB
-
MD5
2b22a1399c5c0154571ffb9297924585
-
SHA1
a6fd42447b10e1457343d4b38d733010596dcd65
-
SHA256
ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f
-
SHA512
a6e72e48099fe856a4006ad364f5b763df2169e5b029ebe2e4b0681850b9b101f38f53b56b7b9361dd10cfa35677a3fd9f4e50f661aa15b91714b6b0dd0aef5c
-
SSDEEP
3072:mgO69y2CthWMtmdmsj1kJiWYcHVia8b52cU4J++ciQV7OW5R70RsNh:u694rtmr1kJiWYcHAT52xt+cRV/QQ
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3624 3160 WerFault.exe 82 1436 3160 WerFault.exe 82 1492 3160 WerFault.exe 82 2744 3160 WerFault.exe 82 1440 3160 WerFault.exe 82 3576 3160 WerFault.exe 82 4536 3160 WerFault.exe 82 4540 3160 WerFault.exe 82 4220 3160 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 3720 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3160 wrote to memory of 436 3160 ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe 112 PID 3160 wrote to memory of 436 3160 ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe 112 PID 3160 wrote to memory of 436 3160 ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe 112 PID 436 wrote to memory of 3720 436 cmd.exe 116 PID 436 wrote to memory of 3720 436 cmd.exe 116 PID 436 wrote to memory of 3720 436 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe"C:\Users\Admin\AppData\Local\Temp\ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 4282⤵
- Program crash
PID:3624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 7602⤵
- Program crash
PID:1436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 7962⤵
- Program crash
PID:1492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 7522⤵
- Program crash
PID:2744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 9042⤵
- Program crash
PID:1440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 10122⤵
- Program crash
PID:3576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 10802⤵
- Program crash
PID:4536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 13402⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ffe0ce191143afd76370fd2cd83ecf76d644a6bf077bde9e92c20b84e6cea62f.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 14362⤵
- Program crash
PID:4220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 31601⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3160 -ip 31601⤵PID:3192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3160 -ip 31601⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3160 -ip 31601⤵PID:3300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3160 -ip 31601⤵PID:3376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3160 -ip 31601⤵PID:4336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3160 -ip 31601⤵PID:4028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3160 -ip 31601⤵PID:1956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3160 -ip 31601⤵PID:5000