Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 04:21

General

  • Target

    31a194cac2e9de7a6007ed9ec667f810N.exe

  • Size

    269KB

  • MD5

    31a194cac2e9de7a6007ed9ec667f810

  • SHA1

    4c32b1079830ec850a9fc5772b62f7ec7e3f3eef

  • SHA256

    a0d51145bd3f6620032b432be3cdb9a4bd3a2b889c01d101c9a53d8c46c6b4e4

  • SHA512

    26f488523aecfb4d26ea71f57a7b8fa155baf4e6d37c81a8f0ad9c810ed83be542effd26fda17e75c191afead0c19c4571614281ddd53e5224d05c447efc2974

  • SSDEEP

    6144:C/l5MBlczZhOHP0DQIpUtJndnUvBJGxhw5UJp8wB:C/EwthXN0ZdUvBJFUN

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

77.105.160.30

185.172.128.69

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe
    "C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1388
      2⤵
      • Program crash
      PID:3968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2588 -ip 2588
    1⤵
      PID:5076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2588-1-0x0000000002970000-0x0000000002A70000-memory.dmp

      Filesize

      1024KB

    • memory/2588-2-0x0000000004570000-0x00000000045AC000-memory.dmp

      Filesize

      240KB

    • memory/2588-3-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2588-7-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2588-6-0x0000000004570000-0x00000000045AC000-memory.dmp

      Filesize

      240KB

    • memory/2588-5-0x0000000000400000-0x000000000282B000-memory.dmp

      Filesize

      36.2MB