Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe
Resource
win10v2004-20240426-en
General
-
Target
ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe
-
Size
301KB
-
MD5
6c48223d8fa432c1b8e8fe1889fb9c14
-
SHA1
7efbdb0fb12a0a657d7de775636ee3fc23dd6b31
-
SHA256
ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0
-
SHA512
189e5aa4d36b495580024c416da1bad3ac3399195bda2dbcd2350da23f7b82e932025010f958d10e8196eeb2973781fe95ddf221f68ded57374f5af8ff48efa7
-
SSDEEP
6144:+4V9+1MlmH3IGEOoxH1X+82al3EvS3buM:+4V01MEXCOo1YfalQS3b
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 4292 2936 WerFault.exe 82 2256 2936 WerFault.exe 82 516 2936 WerFault.exe 82 4468 2936 WerFault.exe 82 208 2936 WerFault.exe 82 2408 2936 WerFault.exe 82 4568 2936 WerFault.exe 82 1972 2936 WerFault.exe 82 4796 2936 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 3360 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3360 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2080 2936 ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe 112 PID 2936 wrote to memory of 2080 2936 ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe 112 PID 2936 wrote to memory of 2080 2936 ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe 112 PID 2080 wrote to memory of 3360 2080 cmd.exe 116 PID 2080 wrote to memory of 3360 2080 cmd.exe 116 PID 2080 wrote to memory of 3360 2080 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe"C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 7402⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 7802⤵
- Program crash
PID:2256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 7402⤵
- Program crash
PID:516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 8322⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 9042⤵
- Program crash
PID:208
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 9802⤵
- Program crash
PID:2408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 10802⤵
- Program crash
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 13402⤵
- Program crash
PID:1972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 14322⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2936 -ip 29361⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 29361⤵PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 29361⤵PID:3872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2936 -ip 29361⤵PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2936 -ip 29361⤵PID:1704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2936 -ip 29361⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2936 -ip 29361⤵PID:2144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2936 -ip 29361⤵PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2936 -ip 29361⤵PID:2672