Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-05-2024 10:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe
Resource
win10v2004-20240419-en
7 signatures
150 seconds
General
-
Target
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe
-
Size
264KB
-
MD5
6e1882fce90951167e3d17ef2e88c08f
-
SHA1
ba418ec0df73d25daf51094e89216ca011b2fa7f
-
SHA256
499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347
-
SHA512
3bf3b66aa88aa2d5b6b6e93576873298af30650d4b95f08c58711a33a607059339fcb1a61ae49c416fba0867065c9a60fa9d9210d3321293761bf3f1e04fe1cd
-
SSDEEP
6144:xN9w9E+xzD8zt8x8THgpkF5hgR4ud8I/x:xNGz2iuTHgOFwUc
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Attributes
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 2776 2252 WerFault.exe 78 1040 2252 WerFault.exe 78 2860 2252 WerFault.exe 78 4928 2252 WerFault.exe 78 900 2252 WerFault.exe 78 3036 2252 WerFault.exe 78 3148 2252 WerFault.exe 78 2420 2252 WerFault.exe 78 -
Kills process with taskkill 1 IoCs
pid Process 1452 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1452 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3332 2252 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 96 PID 2252 wrote to memory of 3332 2252 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 96 PID 2252 wrote to memory of 3332 2252 499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe 96 PID 3332 wrote to memory of 1452 3332 cmd.exe 100 PID 3332 wrote to memory of 1452 3332 cmd.exe 100 PID 3332 wrote to memory of 1452 3332 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe"C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 7722⤵
- Program crash
PID:2776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 7722⤵
- Program crash
PID:1040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 8042⤵
- Program crash
PID:2860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 8642⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 9762⤵
- Program crash
PID:900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 10602⤵
- Program crash
PID:3036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 14322⤵
- Program crash
PID:3148
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "499bfccf64dd99711330edea5b93161e9201d03d866b968adb82ae56d4030347.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 14762⤵
- Program crash
PID:2420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 22521⤵PID:3428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2252 -ip 22521⤵PID:3620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2252 -ip 22521⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2252 -ip 22521⤵PID:2856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2252 -ip 22521⤵PID:1908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2252 -ip 22521⤵PID:2308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2252 -ip 22521⤵PID:5008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2252 -ip 22521⤵PID:3692