Analysis
-
max time kernel
92s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 04:53
Static task
static1
Behavioral task
behavioral1
Sample
fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe
Resource
win10v2004-20240508-en
General
-
Target
fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe
-
Size
356KB
-
MD5
f09c488bfeff422f0acc8db51c7b590d
-
SHA1
657e239e1f833936621e9dfd825cb31137112fc6
-
SHA256
fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f
-
SHA512
b3bb99e399f6a5b293d955a2237cf9ffdc7d2ab02754813cce3b6478e6620968330319b4c531cc4325e01d1696950406473ca7178d8116e749d8ac6fcd1e62fa
-
SSDEEP
6144:TrT21hhM/SHN+L9nDUJ9VVsiG+N3GoA2Hbv+C:TrKZSQTPsz+N
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1444 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 4776 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 4468 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 2396 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 4960 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 2892 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 1620 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 1552 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe 276 5100 WerFault.exe fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1340 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1340 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.execmd.exedescription pid process target process PID 5100 wrote to memory of 4208 5100 fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe cmd.exe PID 5100 wrote to memory of 4208 5100 fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe cmd.exe PID 5100 wrote to memory of 4208 5100 fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe cmd.exe PID 4208 wrote to memory of 1340 4208 cmd.exe taskkill.exe PID 4208 wrote to memory of 1340 4208 cmd.exe taskkill.exe PID 4208 wrote to memory of 1340 4208 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe"C:\Users\Admin\AppData\Local\Temp\fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 4722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 8162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 8682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 10842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 14602⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fc3bfda544affa06f4dcb553fd2cd4f54d359b57cfdfd7ddeccd30a9757b896f.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 13642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5100 -ip 51001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5100-2-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/5100-1-0x00000000022E0000-0x00000000023E0000-memory.dmpFilesize
1024KB
-
memory/5100-3-0x0000000000400000-0x0000000001FA4000-memory.dmpFilesize
27.6MB
-
memory/5100-7-0x0000000000400000-0x0000000001FA4000-memory.dmpFilesize
27.6MB
-
memory/5100-8-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB