Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe
Resource
win7-20240508-en
General
-
Target
09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe
-
Size
363KB
-
MD5
09869caa0d0ca2c790201062ebfc0d84
-
SHA1
f8b2f174c356813ec14412f14dc632d6db0db5b5
-
SHA256
09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24
-
SHA512
44780226c65e77bea490a8a4c6b30f8687dadd305c76cae875df3a3b94f68793e9fb6694d9eb92344700889aa2e34585c90ecbed5ab53f203b1035b245a079dc
-
SSDEEP
6144:Bl9/M+KgrbX4AbZdbr36i3DQSCV9VjqsB:39/fbXTbXhDQS09VjvB
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2988 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2336 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2336 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.execmd.exedescription pid process target process PID 1484 wrote to memory of 2988 1484 09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe cmd.exe PID 1484 wrote to memory of 2988 1484 09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe cmd.exe PID 1484 wrote to memory of 2988 1484 09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe cmd.exe PID 1484 wrote to memory of 2988 1484 09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe cmd.exe PID 2988 wrote to memory of 2336 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 2336 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 2336 2988 cmd.exe taskkill.exe PID 2988 wrote to memory of 2336 2988 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe"C:\Users\Admin\AppData\Local\Temp\09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "09e7490114ee50412cbcf2bf7aacd618b7ac59c4839f2c21ccfcc4e229015a24.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken