Analysis
-
max time kernel
193s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe
Resource
win7-20240508-en
General
-
Target
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe
-
Size
220KB
-
MD5
cd0fd465ea4fd58cf58413dda8114989
-
SHA1
2ae37c14fa393dcbd68a57a49e3eecacf5be0b50
-
SHA256
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe
-
SHA512
b05f3e05762a86aa672d3f4bed9dde6be4e9c946c02d18f470ee2542a1d5da1fa5eb4e6a33bffa8ba39e754e34cb53aa1accca8107aae218001c1a1110af371f
-
SSDEEP
3072:Kj9Wt0dASUNee76IR+tXe/ZHwYjpu8lULeJQ7k7wE65/:2cgUNj2DtXe/ZQKu7k7W
Malware Config
Extracted
gcleaner
185.172.128.90
5.42.65.64
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 212 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 868 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 2668 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 2488 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 4436 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 516 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 4664 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe 1896 2824 WerFault.exe a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1724 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1724 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.execmd.exedescription pid process target process PID 2824 wrote to memory of 2456 2824 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2824 wrote to memory of 2456 2824 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2824 wrote to memory of 2456 2824 a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe cmd.exe PID 2456 wrote to memory of 1724 2456 cmd.exe taskkill.exe PID 2456 wrote to memory of 1724 2456 cmd.exe taskkill.exe PID 2456 wrote to memory of 1724 2456 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe"C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7602⤵
- Program crash
PID:212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 7642⤵
- Program crash
PID:868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 8402⤵
- Program crash
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 9442⤵
- Program crash
PID:2488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 9682⤵
- Program crash
PID:4436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 10922⤵
- Program crash
PID:516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 11242⤵
- Program crash
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 12642⤵
- Program crash
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "a5f4270eed2a341acb58267cfaca48cfd25d5d5921b6f4d7e856ef4b5fd85dbe.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724