Overview

overview

10

Static

static

1

c7321ee88d...47.exe

windows7-x64

10

c7321ee88d...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/02/2023, 09:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c7321ee88deeede4d5ad70f74feac847.exe

  • Size

    276KB

  • MD5

    c7321ee88deeede4d5ad70f74feac847

  • SHA1

    e847f216a666d69a4784c23672fc36ecbe003dd3

  • SHA256

    1ef8dd1b6c059bbf50984bc00eeb54c8b2a05db6dd52b560605292da412bd6f9

  • SHA512

    77b92d400f1020e2a30eda2d366ab2568f2ca79f87c6150b0d6c08e14335384db6d2d3bc4941a5308d1c2e8f598781e38357426d4383a1795e3d69553e425a0f

  • SSDEEP

    3072:ohiO4hRL+iGL24qWYh5cK5hBLkUyuDLBLy1dV1RhYVO10Ya4ZGb94v9kAJ59kRYC:ohiDRGLJqf7LtDLEkV4Zw94VkATmYW

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7321ee88deeede4d5ad70f74feac847.exe
    "C:\Users\Admin\AppData\Local\Temp\c7321ee88deeede4d5ad70f74feac847.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "c7321ee88deeede4d5ad70f74feac847.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\c7321ee88deeede4d5ad70f74feac847.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "c7321ee88deeede4d5ad70f74feac847.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:764

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1524-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1524-56-0x00000000006FB000-0x0000000000722000-memory.dmp

          Filesize

          156KB

          Download

        • memory/1524-57-0x0000000000240000-0x0000000000280000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1524-58-0x0000000000400000-0x0000000000576000-memory.dmp

          Filesize

          1.5MB

          Download