Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 09:33
Static task
static1
Behavioral task
behavioral1
Sample
925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe
Resource
win10v2004-20240226-en
General
-
Target
925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe
-
Size
263KB
-
MD5
c2d55f8d1e56d5a8f4f79f43ce22e373
-
SHA1
548b64bc95d46895178af37a32e802eee1d3559b
-
SHA256
925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d
-
SHA512
b232afb9817324719a381e485f86ed259de88bd3ac565a06d83f74fdb2b6ecf56f7b853c9e5ff3447d83466c19603f61b32717e8994148bd9c4fa9792a34123d
-
SSDEEP
3072:mllr9lB0A3gVrz/kW8+MArGy7QR63wINzHd5BiOZm0:cr9P4rAdVyM63zzHxi
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
pid pid_target Process procid_target 3804 3076 WerFault.exe 90 4308 3076 WerFault.exe 90 2668 3076 WerFault.exe 90 4336 3076 WerFault.exe 90 2940 3076 WerFault.exe 90 768 3076 WerFault.exe 90 1368 3076 WerFault.exe 90 2360 3076 WerFault.exe 90 3212 3076 WerFault.exe 90 -
Kills process with taskkill 1 IoCs
pid Process 3664 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3664 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3076 wrote to memory of 5072 3076 925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe 117 PID 3076 wrote to memory of 5072 3076 925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe 117 PID 3076 wrote to memory of 5072 3076 925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe 117 PID 5072 wrote to memory of 3664 5072 cmd.exe 121 PID 5072 wrote to memory of 3664 5072 cmd.exe 121 PID 5072 wrote to memory of 3664 5072 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe"C:\Users\Admin\AppData\Local\Temp\925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7402⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7482⤵
- Program crash
PID:4308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7482⤵
- Program crash
PID:2668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 7842⤵
- Program crash
PID:4336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 9242⤵
- Program crash
PID:2940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 10122⤵
- Program crash
PID:768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 8242⤵
- Program crash
PID:1368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 13442⤵
- Program crash
PID:2360
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "925a35418ff76ee035f8f0bdc74572757b1fbc738bcd0fbffd735606986a929d.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 13722⤵
- Program crash
PID:3212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3076 -ip 30761⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3076 -ip 30761⤵PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3076 -ip 30761⤵PID:2484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3076 -ip 30761⤵PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3076 -ip 30761⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3076 -ip 30761⤵PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3076 -ip 30761⤵PID:4820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:3416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3076 -ip 30761⤵PID:1316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3076 -ip 30761⤵PID:2912