gcleaner | fb861a782af83e33211b8f76e715076528e753326056257e15c33463073b5a2b

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2023, 14:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a708327e4d55ffb7ba8095480d7e8a25.exe
Size

247KB
MD5

a708327e4d55ffb7ba8095480d7e8a25
SHA1

f70a4dba48818a62eea256fe492c77b8816e9966
SHA256

fb861a782af83e33211b8f76e715076528e753326056257e15c33463073b5a2b
SHA512

609adfe4dee87a447934356e80e062b289e29b94fe42362164a5f1854de397a190088d01af6e124128eae7cd1843aa9381ffebf91dc4dcc03671aa09d812b926
SSDEEP

6144:QLiKzxf/ScLKJ81F3fojybiBq3IkOulqlaafGWX:QuKN281lKybiB0Ik5UaYbX

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a708327e4d55ffb7ba8095480d7e8a25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4848	4780	WerFault.exe	78
1320	4780	WerFault.exe	78
3392	4780	WerFault.exe	78
2036	4780	WerFault.exe	78
3692	4780	WerFault.exe	78
2920	4780	WerFault.exe	78
596	4780	WerFault.exe	78

Kills process with taskkill 1 IoCs

evasion

pid	Process
2392	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1940	4780	a708327e4d55ffb7ba8095480d7e8a25.exe	92
PID 4780 wrote to memory of 1940	4780	a708327e4d55ffb7ba8095480d7e8a25.exe	92
PID 4780 wrote to memory of 1940	4780	a708327e4d55ffb7ba8095480d7e8a25.exe	92
PID 1940 wrote to memory of 2392	1940	cmd.exe	96
PID 1940 wrote to memory of 2392	1940	cmd.exe	96
PID 1940 wrote to memory of 2392	1940	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\a708327e4d55ffb7ba8095480d7e8a25.exe
"C:\Users\Admin\AppData\Local\Temp\a708327e4d55ffb7ba8095480d7e8a25.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 688
  2⤵
  - Program crash
  PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 788
  2⤵
  - Program crash
  PID:1320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 796
  2⤵
  - Program crash
  PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 920
  2⤵
  - Program crash
  PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 920
  2⤵
  - Program crash
  PID:3692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 948
  2⤵
  - Program crash
  PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "a708327e4d55ffb7ba8095480d7e8a25.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a708327e4d55ffb7ba8095480d7e8a25.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "a708327e4d55ffb7ba8095480d7e8a25.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 736
  2⤵
  - Program crash
  PID:596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4780 -ip 4780
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4780 -ip 4780
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4780 -ip 4780
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4780 -ip 4780
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4780 -ip 4780
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4780 -ip 4780
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4780-132-0x0000000002F2D000-0x0000000002F54000-memory.dmp

Filesize
156KB

Download
memory/4780-133-0x0000000002E50000-0x0000000002E90000-memory.dmp

Filesize
256KB

Download
memory/4780-134-0x0000000000400000-0x0000000002BA7000-memory.dmp

Filesize
39.7MB

Download
memory/4780-137-0x0000000002F2D000-0x0000000002F54000-memory.dmp

Filesize
156KB

Download
memory/4780-138-0x0000000000400000-0x0000000002BA7000-memory.dmp

Filesize
39.7MB

Download