Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-05-2024 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe
Resource
win10v2004-20240419-en
7 signatures
150 seconds
General
-
Target
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe
-
Size
256KB
-
MD5
55adf26a3761a44601a7eab7f2b8f5d8
-
SHA1
d44f81ff5704fed46846e092e6cd5d4fc0ce79cb
-
SHA256
b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095
-
SHA512
d005549dc1ab8a94cef596cc6a2381fa5a10b67fca0efb4768279aba45f0e06e82d7eab2bd6241e711caa1dab8025cd55dd7182eb4e0ae53b14ae786d320b3c9
-
SSDEEP
3072:/Z7rzclUOJOmG6WFFYty4OpxvAvl6sSjvqKtgIyLoL/4mZT45Nwr6h:RnzgUEO16WeOLQ+jSKtgIzR/6h
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
5.42.65.64
Attributes
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 796 4080 WerFault.exe 79 5092 4080 WerFault.exe 79 3904 4080 WerFault.exe 79 2720 4080 WerFault.exe 79 3140 4080 WerFault.exe 79 2856 4080 WerFault.exe 79 4800 4080 WerFault.exe 79 2436 4080 WerFault.exe 79 2748 4080 WerFault.exe 79 3112 4080 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
pid Process 4964 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4964 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4080 wrote to memory of 1564 4080 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 96 PID 4080 wrote to memory of 1564 4080 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 96 PID 4080 wrote to memory of 1564 4080 b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe 96 PID 1564 wrote to memory of 4964 1564 cmd.exe 100 PID 1564 wrote to memory of 4964 1564 cmd.exe 100 PID 1564 wrote to memory of 4964 1564 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe"C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 7722⤵
- Program crash
PID:796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 7722⤵
- Program crash
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 8242⤵
- Program crash
PID:3904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 8122⤵
- Program crash
PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 9762⤵
- Program crash
PID:3140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 9842⤵
- Program crash
PID:2856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 14482⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "b332c957510b306c89c5cd55e2496c644a0b3976c8630d918bb6859fb9062095.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 13562⤵
- Program crash
PID:2436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 14042⤵
- Program crash
PID:2748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 14962⤵
- Program crash
PID:3112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 40801⤵PID:2316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4080 -ip 40801⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4080 -ip 40801⤵PID:4748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4080 -ip 40801⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4080 -ip 40801⤵PID:4100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4080 -ip 40801⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4080 -ip 40801⤵PID:2832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4080 -ip 40801⤵PID:2176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4080 -ip 40801⤵PID:2248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4080 -ip 40801⤵PID:2444