Analysis
-
max time kernel
131s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
Resource
win7-20240508-en
General
-
Target
5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
-
Size
273KB
-
MD5
0d24d4aedee36f50cce13572c0586fed
-
SHA1
c7ff14407d46d06bed3a7b47b1170adfedc50f92
-
SHA256
5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5
-
SHA512
8c3294fadd2e3704cac9bb60a0761a3ab09287ce860d82682afc52cc8770085458c973a2bb0f54da067b955e80ab6454e5cdb98f1b4d31d46b327813e6963307
-
SSDEEP
3072:PvcWbfZpjSG9n/jJh0iMPx8ssSfG8wfWgbRgn3EAPAsaKPDZaPjJwhKIgY:HLbS0JhCPx8Y2fWgVKEyHjPDZaGhK
Malware Config
Extracted
gcleaner
185.172.128.90
185.172.128.69
-
url_path
/advdlc.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2160 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 4436 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 740 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 644 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 3812 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 1708 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 1676 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 5012 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe 1984 1480 WerFault.exe 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4528 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4528 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.execmd.exedescription pid process target process PID 1480 wrote to memory of 5024 1480 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe cmd.exe PID 1480 wrote to memory of 5024 1480 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe cmd.exe PID 1480 wrote to memory of 5024 1480 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe cmd.exe PID 5024 wrote to memory of 4528 5024 cmd.exe taskkill.exe PID 5024 wrote to memory of 4528 5024 cmd.exe taskkill.exe PID 5024 wrote to memory of 4528 5024 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe"C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 9802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 10082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 13562⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 13682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1480 -ip 14801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\advdlc[1].htmFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
memory/1480-3-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1480-2-0x0000000002C80000-0x0000000002CAD000-memory.dmpFilesize
180KB
-
memory/1480-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmpFilesize
1024KB
-
memory/1480-4-0x0000000000400000-0x0000000002BFD000-memory.dmpFilesize
40.0MB
-
memory/1480-6-0x0000000002CB0000-0x0000000002DB0000-memory.dmpFilesize
1024KB
-
memory/1480-12-0x0000000000400000-0x0000000002BFD000-memory.dmpFilesize
40.0MB
-
memory/1480-25-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1480-24-0x0000000000400000-0x0000000002BFD000-memory.dmpFilesize
40.0MB