Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe
Resource
win10v2004-20240426-en
General
-
Target
ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe
-
Size
293KB
-
MD5
7773dfc253110b66e3900cbf7d60898a
-
SHA1
b23932263b0ede8f4f3d0136d05578c65e6195ed
-
SHA256
ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7
-
SHA512
ce28368fa44e2739ff796e64f168dcbeebe67bc2d3c3135680269b0c96393a27993c4891519d30c3565ef90cf545a8b4c68ae4457e96d4caf13da5942313a835
-
SSDEEP
6144:KD4MY2AZu7zUgW5JykNFhlaFK1DbuoG7WLtwT:KDy9Zu0gsBGkByam
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.64.56
185.172.128.69
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exedescription pid process target process PID 5024 set thread context of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2984 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2984 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exead1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.execmd.exedescription pid process target process PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 5024 wrote to memory of 3484 5024 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe PID 3484 wrote to memory of 852 3484 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe cmd.exe PID 3484 wrote to memory of 852 3484 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe cmd.exe PID 3484 wrote to memory of 852 3484 ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe cmd.exe PID 852 wrote to memory of 2984 852 cmd.exe taskkill.exe PID 852 wrote to memory of 2984 852 cmd.exe taskkill.exe PID 852 wrote to memory of 2984 852 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe"C:\Users\Admin\AppData\Local\Temp\ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe"C:\Users\Admin\AppData\Local\Temp\ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ad1448677eac1359fe87f0086c2dc8f5865cb32f8303952a1d49ceea400934d7.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3484-5-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3484-7-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3484-4-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3484-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/3484-10-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/5024-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmpFilesize
1024KB
-
memory/5024-2-0x00000000049C0000-0x00000000049FD000-memory.dmpFilesize
244KB