Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:03
Static task
static1
Behavioral task
behavioral1
Sample
691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
Resource
win10v2004-20240426-en
General
-
Target
691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
-
Size
278KB
-
MD5
673ea1efbea95943a20a9fcc6b3dea5d
-
SHA1
32ce625b17508fd013445fdab081f3461f73ba65
-
SHA256
691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51
-
SHA512
17318e6c946a99ca2eb68bc2a1cc4d978b66cb3bbb9c540953fe59f31363fd466a4ba06488d5dd68e1ee02a10fbf4dcc55443311c4b969477ad5cc10e813024a
-
SSDEEP
6144:D39AQwEjyzfDtaAtWH7ROEe3ppGFZydUBg:D39AjEj8hlWHte3ppEW
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4528 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 2060 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 3968 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 4596 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 3244 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 5032 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 4108 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 4152 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 4700 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe 2712 900 WerFault.exe 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3196 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3196 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.execmd.exedescription pid process target process PID 900 wrote to memory of 2256 900 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe cmd.exe PID 900 wrote to memory of 2256 900 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe cmd.exe PID 900 wrote to memory of 2256 900 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe cmd.exe PID 2256 wrote to memory of 3196 2256 cmd.exe taskkill.exe PID 2256 wrote to memory of 3196 2256 cmd.exe taskkill.exe PID 2256 wrote to memory of 3196 2256 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe"C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 4562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 4802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 8002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 9122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 13642⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 13082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 900 -ip 9001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 9001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/900-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/900-2-0x00000000048D0000-0x000000000490C000-memory.dmpFilesize
240KB
-
memory/900-1-0x0000000002DB0000-0x0000000002EB0000-memory.dmpFilesize
1024KB
-
memory/900-8-0x00000000048D0000-0x000000000490C000-memory.dmpFilesize
240KB
-
memory/900-7-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/900-6-0x0000000000400000-0x0000000002CA4000-memory.dmpFilesize
40.6MB