Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/07/2024, 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe
Resource
win10v2004-20240709-en
7 signatures
150 seconds
General
-
Target
6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe
-
Size
370KB
-
MD5
a580b91155c0870f7ff1e9dc0ee85328
-
SHA1
474b5b52d7ec66a6de7164d903275b4759851431
-
SHA256
6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843
-
SHA512
04f20fab6d4ba08542a047988241e4b9d2b6c12a8f39b717973a5eb40c0b49c41ea06aeadc3bbd0abedb5090528ec7172cdb75e60ea863a44478f13f4bc7a68d
-
SSDEEP
6144:Sy5ngvXvVhXkqnmWuWxEIc9FXp/Q5owrHaLZUJp8TM:95ng/NhXbnmiEV9FZIYU7
Malware Config
Extracted
Family
gcleaner
C2
185.172.128.90
77.105.160.30
185.172.128.69
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2044 1860 WerFault.exe 79 -
Kills process with taskkill 1 IoCs
pid Process 5000 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5000 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1860 wrote to memory of 4004 1860 6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe 81 PID 1860 wrote to memory of 4004 1860 6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe 81 PID 1860 wrote to memory of 4004 1860 6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe 81 PID 4004 wrote to memory of 5000 4004 cmd.exe 85 PID 4004 wrote to memory of 5000 4004 cmd.exe 85 PID 4004 wrote to memory of 5000 4004 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe"C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 14002⤵
- Program crash
PID:2044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 18601⤵PID:2256