Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe
Resource
win7-20240419-en
General
-
Target
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe
-
Size
262KB
-
MD5
dba3846a51c92775dac4fe38fe1565fc
-
SHA1
fde82884cf24699f55378ced90a106d0d370b033
-
SHA256
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b
-
SHA512
b8b2f71d91e4a1c44b5f5c634e67bbca7e0424e78ede4607920fd87b0c81d71a41d21ca1a55e3ad6f000ee067f5dcd750ee341f8ec1238042fe1db30cac38bc0
-
SSDEEP
6144:/6xMSaDuUKG2sGGQmDJzx82WaD7sRuiae/Y:/6xraCvHGQoShakRha
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2412 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2720 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2720 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.execmd.exedescription pid process target process PID 2028 wrote to memory of 2412 2028 b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe cmd.exe PID 2028 wrote to memory of 2412 2028 b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe cmd.exe PID 2028 wrote to memory of 2412 2028 b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe cmd.exe PID 2028 wrote to memory of 2412 2028 b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe cmd.exe PID 2412 wrote to memory of 2720 2412 cmd.exe taskkill.exe PID 2412 wrote to memory of 2720 2412 cmd.exe taskkill.exe PID 2412 wrote to memory of 2720 2412 cmd.exe taskkill.exe PID 2412 wrote to memory of 2720 2412 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe"C:\Users\Admin\AppData\Local\Temp\b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "b2e7222f8455e06b6d44d193106363480124505df582b5d544df23e579aa325b.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2028-1-0x0000000002E00000-0x0000000002F00000-memory.dmpFilesize
1024KB
-
memory/2028-2-0x0000000000220000-0x000000000025C000-memory.dmpFilesize
240KB
-
memory/2028-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2028-8-0x0000000000220000-0x000000000025C000-memory.dmpFilesize
240KB
-
memory/2028-9-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2028-7-0x0000000002E00000-0x0000000002F00000-memory.dmpFilesize
1024KB
-
memory/2028-6-0x0000000000400000-0x0000000002C99000-memory.dmpFilesize
40.6MB