Analysis
-
max time kernel
102s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe
Resource
win10v2004-20250610-en
General
-
Target
d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe
-
Size
4.8MB
-
MD5
a74a5b502a4ee04b7bfbede98dbbc06d
-
SHA1
c80dbac460717576db6721741e8f4cc547435fab
-
SHA256
d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b
-
SHA512
b7184252f0a0644f3b014ff1b26d92e57ac6e540e12e57a6625c315401e71bef90abf5402d0a7848950539ed0c90ecf8d77dc189f6fd3179de115f9a04df2ae6
-
SSDEEP
98304:Sg9nYKv9bdaKeEdpDq1qK2aU93XdXOH3HPeW:SENNoEfDwqI4W
Malware Config
Extracted
gcleaner
45.91.200.135
Signatures
-
Gcleaner family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 66 3956 svchost015.exe -
Executes dropped EXE 1 IoCs
pid Process 3956 svchost015.exe -
Loads dropped DLL 1 IoCs
pid Process 3956 svchost015.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 3956 3060 d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3956 3060 d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe 99 PID 3060 wrote to memory of 3956 3060 d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe 99 PID 3060 wrote to memory of 3956 3060 d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe 99 PID 3060 wrote to memory of 3956 3060 d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe"C:\Users\Admin\AppData\Local\Temp\d31f0543792df2de66f3a6fd6d75491ba1e84a5969f2091a17b22e697189ca0b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3956
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
2.6MB
MD5ceeae1523c3864b719e820b75bf728aa
SHA1cf607927b6ef864a11bf7ebbcdbb59891d23d320
SHA2564e04e2fb20a9c6846b5d693ea67098214f77737f4f1f3df5f0c78594650e7f71
SHA512a06da3b96084040d49964b2227402ff1a2548ee5f1459df6b64bc6cbb271f19a00a798333e0f608d03c5a6de7355ae916309250204900117e3ef101f764d0f5f