Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2024 21:30
Static task
static1
Behavioral task
behavioral1
Sample
014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe
Resource
win7-20241010-en
General
-
Target
014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe
-
Size
305KB
-
MD5
a39bd865d6df97f9f541a76ff327ef72
-
SHA1
e9d5703070f46de97465e91453da6bb9cdd30862
-
SHA256
014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d
-
SHA512
d79e1c8b7d1534fa0080511e8748590831ac016fa908c05e5cd97837ef4c5ff981f83445a36acddf787fda554e6586f00ca6c37a9f651f5421d03322b9c0bd12
-
SSDEEP
6144:7STmTNLwS0eZbNFsFhZSf3H2wNffWMGsRXcTG1Y4:7STCNMpezgEH2wN3JGrc
Malware Config
Extracted
gcleaner
45.139.105.171
85.31.46.167
107.182.129.235
171.22.30.106
-
url_path
....!..../software.php
....!..../software.php
Signatures
-
Gcleaner family
-
Program crash 8 IoCs
pid pid_target Process procid_target 2172 3680 WerFault.exe 82 2952 3680 WerFault.exe 82 4280 3680 WerFault.exe 82 892 3680 WerFault.exe 82 4800 3680 WerFault.exe 82 4036 3680 WerFault.exe 82 1092 3680 WerFault.exe 82 1928 3680 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3680 014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe"C:\Users\Admin\AppData\Local\Temp\014445a124470594d7a5dd08add6829113337b2923d8ebd730fcb4b5f551954d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:3680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 4522⤵
- Program crash
PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 7722⤵
- Program crash
PID:2952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 7842⤵
- Program crash
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 7722⤵
- Program crash
PID:892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 8042⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 9282⤵
- Program crash
PID:4036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 9282⤵
- Program crash
PID:1092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 7762⤵
- Program crash
PID:1928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3680 -ip 36801⤵PID:4020
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3680 -ip 36801⤵PID:1828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3680 -ip 36801⤵PID:1824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3680 -ip 36801⤵PID:2960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3680 -ip 36801⤵PID:2452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3680 -ip 36801⤵PID:548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3680 -ip 36801⤵PID:1916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3680 -ip 36801⤵PID:4280