Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe
Resource
win7-20240508-en
General
-
Target
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe
-
Size
220KB
-
MD5
cd0fd465ea4fd58cf58413dda8114989
-
SHA1
2ae37c14fa393dcbd68a57a49e3eecacf5be0b50
-
SHA256
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe
-
SHA512
b05f3e05762a86aa672d3f4bed9dde6be4e9c946c02d18f470ee2542a1d5da1fa5eb4e6a33bffa8ba39e754e34cb53aa1accca8107aae218001c1a1110af371f
-
SSDEEP
3072:Kj9Wt0dASUNee76IR+tXe/ZHwYjpu8lULeJQ7k7wE65/:2cgUNj2DtXe/ZQKu7k7W
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
-
url_path
/advdlc.php
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2576 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2704 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2704 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.execmd.exedescription pid process target process PID 2364 wrote to memory of 2576 2364 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2364 wrote to memory of 2576 2364 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2364 wrote to memory of 2576 2364 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2364 wrote to memory of 2576 2364 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2576 wrote to memory of 2704 2576 cmd.exe taskkill.exe PID 2576 wrote to memory of 2704 2576 cmd.exe taskkill.exe PID 2576 wrote to memory of 2704 2576 cmd.exe taskkill.exe PID 2576 wrote to memory of 2704 2576 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe"C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2704