Analysis
-
max time kernel
137s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe
Resource
win10v2004-20240419-en
General
-
Target
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe
-
Size
264KB
-
MD5
6e1882fce90951167e3d17ef2e88c08f
-
SHA1
ba418ec0df73d25daf51094e89216ca011b2fa7f
-
SHA256
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347
-
SHA512
3bf3b66aa88aa2d5b6b6e93576873298af30650d4b95f08c58711a33a607059339fcb1a61ae49c416fba0867065c9a60fa9d9210d3321293761bf3f1e04fe1cd
-
SSDEEP
6144:xN9w9E+xzD8zt8x8THgpkF5hgR4ud8I/x:xNGz2iuTHgOFwUc
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 2460 3924 WerFault.exe 84 860 3924 WerFault.exe 84 3960 3924 WerFault.exe 84 968 3924 WerFault.exe 84 2108 3924 WerFault.exe 84 3732 3924 WerFault.exe 84 4380 3924 WerFault.exe 84 452 3924 WerFault.exe 84 3972 3924 WerFault.exe 84 -
Kills process with taskkill 1 IoCs
pid Process 3700 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3700 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3924 wrote to memory of 4612 3924 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 117 PID 3924 wrote to memory of 4612 3924 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 117 PID 3924 wrote to memory of 4612 3924 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 117 PID 4612 wrote to memory of 3700 4612 cmd.exe 121 PID 4612 wrote to memory of 3700 4612 cmd.exe 121 PID 4612 wrote to memory of 3700 4612 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe"C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7402⤵
- Program crash
PID:2460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7602⤵
- Program crash
PID:860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 7402⤵
- Program crash
PID:3960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 8122⤵
- Program crash
PID:968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 9042⤵
- Program crash
PID:2108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 9842⤵
- Program crash
PID:3732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 11162⤵
- Program crash
PID:4380
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 13202⤵
- Program crash
PID:452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 12882⤵
- Program crash
PID:3972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 39241⤵PID:3612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3924 -ip 39241⤵PID:1408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3924 -ip 39241⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3924 -ip 39241⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3924 -ip 39241⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3924 -ip 39241⤵PID:3712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3924 -ip 39241⤵PID:1528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3924 -ip 39241⤵PID:1076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3924 -ip 39241⤵PID:1464