Analysis
-
max time kernel
106s -
max time network
129s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-05-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
Resource
win10v2004-20240508-en
General
-
Target
7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
-
Size
249KB
-
MD5
aded808384437aacda351ae705b93dfd
-
SHA1
4268a4765658ddb7d7a379740397c1bd3cb17556
-
SHA256
7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7
-
SHA512
1b6d3c6af432400dc36004244f58e65762ec9e0ac298f12a8fc5b708c279b5aca2fb04cf755b83cad1f823f09e0c8f9a625098466d4252062effbcf92fd48844
-
SSDEEP
6144:k1rsTf6DcN0H1F2MsU1N0GxcZnuWIvuznkXT3Y:k1rsTf6DO0iMsU1N0Wunu
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4184 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 2504 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 2264 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 2616 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 1484 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 4976 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 4124 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 3792 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe 3160 4348 WerFault.exe 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5108 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 5108 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.execmd.exedescription pid process target process PID 4348 wrote to memory of 4004 4348 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe cmd.exe PID 4348 wrote to memory of 4004 4348 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe cmd.exe PID 4348 wrote to memory of 4004 4348 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe cmd.exe PID 4004 wrote to memory of 5108 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 5108 4004 cmd.exe taskkill.exe PID 4004 wrote to memory of 5108 4004 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe"C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 7722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 8002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 9762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 11082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 14402⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 14562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4348 -ip 43481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4348 -ip 43481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4348-2-0x00000000021A0000-0x00000000021CD000-memory.dmpFilesize
180KB
-
memory/4348-1-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/4348-3-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4348-5-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/4348-6-0x00000000021A0000-0x00000000021CD000-memory.dmpFilesize
180KB
-
memory/4348-7-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB