Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 06:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe

  • Size

    345KB

  • MD5

    a5a14b31163a4c9991600fa08612436b

  • SHA1

    cbe157e0e4e1bb34764544bc1531bb5ed6e7528e

  • SHA256

    49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6

  • SHA512

    2cde2d6a873d4f72043089774db4d5207d4941a28640e5e8f536b2b3b7e9324fd9e62ad135ec4456d6b23ea132f1a61d04859814f25beb96bb8732b98be75bc4

  • SSDEEP

    3072:P0WropQLfkHsFbOqU5PEws8r6VSOIf+yWRd+JmIDvbJnOvlwMchQ8j/:P0SopjsFbuMwsrSOIf+yWRdENbJn1BQ

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

77.105.160.30

185.172.128.69

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe
    "C:\Users\Admin\AppData\Local\Temp\49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1312
      2⤵
      • Program crash
      PID:3268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 380 -ip 380
    1⤵
      PID:3560

    Network

    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=1896F6E3CF766F0C24C5E259CE516EC1; domain=.bing.com; expires=Wed, 06-Aug-2025 06:50:47 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: D14E2A412F8F4E6FAABA3D6F62A191AE Ref B: LON04EDGE0607 Ref C: 2024-07-12T06:50:47Z
      date: Fri, 12 Jul 2024 06:50:47 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1896F6E3CF766F0C24C5E259CE516EC1
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=66igMKlaG0L_gaEzg42P1ntUDWhYQH4UQQ5u6DnIYjU; domain=.bing.com; expires=Wed, 06-Aug-2025 06:50:47 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6689FA1860904CA48746CE8D5867A794 Ref B: LON04EDGE0607 Ref C: 2024-07-12T06:50:47Z
      date: Fri, 12 Jul 2024 06:50:47 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=1896F6E3CF766F0C24C5E259CE516EC1; MSPTC=66igMKlaG0L_gaEzg42P1ntUDWhYQH4UQQ5u6DnIYjU
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: DAA42B4F15CB4014AFC6D0F0EF97651C Ref B: LON04EDGE0607 Ref C: 2024-07-12T06:50:47Z
      date: Fri, 12 Jul 2024 06:50:47 GMT
    • flag-us
      DNS
      20.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-de
      GET
      http://185.172.128.90/cpa/name.php
      49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe
      Remote address:
      185.172.128.90:80
      Request
      GET /cpa/name.php HTTP/1.1
      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
      User-Agent: 1
      Host: 185.172.128.90
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Fri, 12 Jul 2024 06:50:51 GMT
      Server: Apache/2.4.52 (Ubuntu)
      Content-Length: 1
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8
    • flag-us
      DNS
      90.128.172.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.128.172.185.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      192.142.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      192.142.123.92.in-addr.arpa
      IN PTR
      Response
      192.142.123.92.in-addr.arpa
      IN PTR
      a92-123-142-192deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=
      tls, http2
      2.0kB
       9.3kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=91fab66a18694a3a9e9a233c46bc6a59&localId=w:E9EA7C1F-1D3E-8A87-AC67-742A9FCC1FE6&deviceId=6825836757655223&anid=

      HTTP Response

      204
    • 185.172.128.90:80
      http://185.172.128.90/cpa/name.php
      http
      49d274575d3cf8393711ba0738cd165afc46f5480d57a43b57972bba48ef03a6.exe
      624 B
       336 B
       5
      3

      HTTP Request

      GET http://185.172.128.90/cpa/name.php

      HTTP Response

      200
    • 52.111.227.11:443
      322 B
       7
    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      20.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      20.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      57.169.31.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      57.169.31.20.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      73 B
       143 B
       1
      1

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      90.128.172.185.in-addr.arpa
      dns
      73 B
       73 B
       1
      1

      DNS Request

      90.128.172.185.in-addr.arpa

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      192.142.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      192.142.123.92.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/380-1-0x0000000002180000-0x0000000002280000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/380-2-0x0000000003CF0000-0x0000000003D2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/380-3-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/380-6-0x0000000003CF0000-0x0000000003D2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/380-7-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/380-5-0x0000000000400000-0x000000000209D000-memory.dmp

      Filesize

      28.6MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.