Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 19:49
Static task
static1
Behavioral task
behavioral1
Sample
083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe
Resource
win7-20240220-en
General
-
Target
083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe
-
Size
276KB
-
MD5
80acdc4d806fef203351f575f9eb4aef
-
SHA1
1f3238a7c1f6c0b9ba56e412524ffae4e5bc654e
-
SHA256
083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9
-
SHA512
edd7f3d1ce29b12683176bd19b51abdc801f4948addfd7c6e8edd79885598f60787847eeefa8fb88204c970d1df809310ffc9541f36d29a674b49bd31db3828b
-
SSDEEP
6144:FnMA6ZC03GtLo8GNBkQVozODm0Fth045oS:eAAC03GpXslozOKC7Bv
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2064 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2656 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2656 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.execmd.exedescription pid process target process PID 1724 wrote to memory of 2064 1724 083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe cmd.exe PID 1724 wrote to memory of 2064 1724 083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe cmd.exe PID 1724 wrote to memory of 2064 1724 083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe cmd.exe PID 1724 wrote to memory of 2064 1724 083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe cmd.exe PID 2064 wrote to memory of 2656 2064 cmd.exe taskkill.exe PID 2064 wrote to memory of 2656 2064 cmd.exe taskkill.exe PID 2064 wrote to memory of 2656 2064 cmd.exe taskkill.exe PID 2064 wrote to memory of 2656 2064 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe"C:\Users\Admin\AppData\Local\Temp\083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "083fff395834e2dbf57b83325317c78670b87480c778c1b895b0df41cc9b04b9.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-1-0x0000000002D20000-0x0000000002E20000-memory.dmpFilesize
1024KB
-
memory/1724-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1724-2-0x00000000002D0000-0x000000000030C000-memory.dmpFilesize
240KB
-
memory/1724-8-0x0000000002D20000-0x0000000002E20000-memory.dmpFilesize
1024KB
-
memory/1724-7-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/1724-6-0x0000000000400000-0x0000000002CA3000-memory.dmpFilesize
40.6MB