Analysis
-
max time kernel
129s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 19:18
Static task
static1
Behavioral task
behavioral1
Sample
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe
Resource
win10v2004-20240419-en
General
-
Target
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe
-
Size
256KB
-
MD5
55adf26a3761a44601a7eab7f2b8f5d8
-
SHA1
d44f81ff5704fed46846e092e6cd5d4fc0ce79cb
-
SHA256
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095
-
SHA512
d005549dc1ab8a94cef596cc6a2381fa5a10b67fca0efb4768279aba45f0e06e82d7eab2bd6241e711caa1dab8025cd55dd7182eb4e0ae53b14ae786d320b3c9
-
SSDEEP
3072:/Z7rzclUOJOmG6WFFYty4OpxvAvl6sSjvqKtgIyLoL/4mZT45Nwr6h:RnzgUEO16WeOLQ+jSKtgIzR/6h
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
pid pid_target Process procid_target 3188 1276 WerFault.exe 82 1948 1276 WerFault.exe 82 3240 1276 WerFault.exe 82 5056 1276 WerFault.exe 82 1048 1276 WerFault.exe 82 1180 1276 WerFault.exe 82 4748 1276 WerFault.exe 82 60 1276 WerFault.exe 82 4556 1276 WerFault.exe 82 4072 1276 WerFault.exe 82 3896 1276 WerFault.exe 82 -
Kills process with taskkill 1 IoCs
pid Process 4344 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4344 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1276 wrote to memory of 2572 1276 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 114 PID 1276 wrote to memory of 2572 1276 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 114 PID 1276 wrote to memory of 2572 1276 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 114 PID 2572 wrote to memory of 4344 2572 cmd.exe 118 PID 2572 wrote to memory of 4344 2572 cmd.exe 118 PID 2572 wrote to memory of 4344 2572 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe"C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7442⤵
- Program crash
PID:3188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7802⤵
- Program crash
PID:1948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7722⤵
- Program crash
PID:3240
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 8322⤵
- Program crash
PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 9042⤵
- Program crash
PID:1048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 9802⤵
- Program crash
PID:1180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 10962⤵
- Program crash
PID:4748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 13282⤵
- Program crash
PID:60
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 12762⤵
- Program crash
PID:4556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 13042⤵
- Program crash
PID:4072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 13642⤵
- Program crash
PID:3896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1276 -ip 12761⤵PID:1800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1276 -ip 12761⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1276 -ip 12761⤵PID:1216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1276 -ip 12761⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1276 -ip 12761⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1276 -ip 12761⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1276 -ip 12761⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1276 -ip 12761⤵PID:2588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1276 -ip 12761⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1276 -ip 12761⤵PID:4484
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1276 -ip 12761⤵PID:2304