gcleaner | 8e312734d6742cb01cbb585fe48c09d8aa49410012f5fb9b98e6a075e9250c37

Analysis

max time kernel
62s
max time network
63s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15/02/2023, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.0MB
MD5

1e65ac9fa6dc0858a16d30df32bba19c
SHA1

ad82d6b20571300609c98ba05280ae65d2459b52
SHA256

8e312734d6742cb01cbb585fe48c09d8aa49410012f5fb9b98e6a075e9250c37
SHA512

59ad21d9d4101ef411191847b3f46c845043029bc4ca2085b93e8a473207fd1762547fa1687c8ba19f39d1b398cef508d4943121667ab6e5d593ff97dca09b34
SSDEEP

98304:JHHHqVTRz+QpxXWNx4VYUVemQMPJ/EE4G+81yv2MR:dWz+MMCVYwgOQGsvjR

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Executes dropped EXE 3 IoCs

pid	Process
2008	file.tmp
568	FRec214.exe
1516	sIvyBQw8p8Hp.exe

Loads dropped DLL 7 IoCs

pid	Process
1148	file.exe
2008	file.tmp
2008	file.tmp
2008	file.tmp
2008	file.tmp
2008	file.tmp
568	FRec214.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\unins000.dat	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\is-96K42.tmp	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\is-HIC6A.tmp	file.tmp
File opened for modification	C:\Program Files (x86)\FHTsoftFR\FRec214\unins000.dat	file.tmp
File opened for modification	C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\is-EN7M6.tmp	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\is-J4Q13.tmp	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\is-Q5G8U.tmp	file.tmp
File created	C:\Program Files (x86)\FHTsoftFR\FRec214\data\is-IVV8F.tmp	file.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
868	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
568	FRec214.exe
568	FRec214.exe
568	FRec214.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	taskkill.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 1148 wrote to memory of 2008	1148	file.exe	28
PID 2008 wrote to memory of 568	2008	file.tmp	29
PID 2008 wrote to memory of 568	2008	file.tmp	29
PID 2008 wrote to memory of 568	2008	file.tmp	29
PID 2008 wrote to memory of 568	2008	file.tmp	29
PID 568 wrote to memory of 1516	568	FRec214.exe	30
PID 568 wrote to memory of 1516	568	FRec214.exe	30
PID 568 wrote to memory of 1516	568	FRec214.exe	30
PID 568 wrote to memory of 1516	568	FRec214.exe	30
PID 568 wrote to memory of 632	568	FRec214.exe	33
PID 568 wrote to memory of 632	568	FRec214.exe	33
PID 568 wrote to memory of 632	568	FRec214.exe	33
PID 568 wrote to memory of 632	568	FRec214.exe	33
PID 632 wrote to memory of 868	632	cmd.exe	35
PID 632 wrote to memory of 868	632	cmd.exe	35
PID 632 wrote to memory of 868	632	cmd.exe	35
PID 632 wrote to memory of 868	632	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp" /SL5="$70124,2915537,387072,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe
    "C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\sIvyBQw8p8Hp.exe
      4⤵
      Executes dropped EXE
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "FRec214.exe" /f & erase "C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "FRec214.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe

Filesize
3.1MB

MD5
d4962282718c7f0dab0108079d354bd4

SHA1
ebfd54cb13bbf86debb6aceec5fd0508271cf23b

SHA256
bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b

SHA512
0632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f

Download Submit
C:\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe

Filesize
3.1MB

MD5
d4962282718c7f0dab0108079d354bd4

SHA1
ebfd54cb13bbf86debb6aceec5fd0508271cf23b

SHA256
bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b

SHA512
0632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp

Filesize
696KB

MD5
d76329b30db65f61d55b20f36b56da26

SHA1
5e4c77b723ae8f05b3ae6afeee735a4355f00663

SHA256
229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d

SHA512
a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp

Filesize
696KB

MD5
d76329b30db65f61d55b20f36b56da26

SHA1
5e4c77b723ae8f05b3ae6afeee735a4355f00663

SHA256
229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d

SHA512
a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d

Download Submit
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\sIvyBQw8p8Hp.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Program Files (x86)\FHTsoftFR\FRec214\FRec214.exe

Filesize
3.1MB

MD5
d4962282718c7f0dab0108079d354bd4

SHA1
ebfd54cb13bbf86debb6aceec5fd0508271cf23b

SHA256
bd9ea233b21926a058a64c6b191abbae14bcaab7a968a3a19a0a84595fe62f3b

SHA512
0632a87bbb7f885929a2fb3b349fda66f8d1a495d713f045f4e52198574cd3edf15b28ecfe3d7a288b4bd2be9055e6b7e4fa9be64648016296340b174cb44b8f

Download Submit
\Users\Admin\AppData\Local\Temp\is-1QBEN.tmp\file.tmp

Filesize
696KB

MD5
d76329b30db65f61d55b20f36b56da26

SHA1
5e4c77b723ae8f05b3ae6afeee735a4355f00663

SHA256
229fbcb11ee7d1f082b6411610e95f726eec4e6737e6b6392719df4f0fe3fa1d

SHA512
a291aed0897315e88b6378b1db10ada05bda8c1eccaf73de23f409fe61860ebd1dbb422063e00996584d3b4b100122931d5bbab54a88951706d75efcc660f70d

Download Submit
\Users\Admin\AppData\Local\Temp\is-NQUK9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-NQUK9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-NQUK9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NQUK9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\sIvyBQw8p8Hp.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/568-78-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/568-81-0x0000000000400000-0x0000000001526000-memory.dmp

Filesize
17.1MB

Download
memory/568-84-0x0000000000400000-0x0000000001526000-memory.dmp

Filesize
17.1MB

Download
memory/568-72-0x0000000000400000-0x0000000001526000-memory.dmp

Filesize
17.1MB

Download
memory/568-73-0x0000000000400000-0x0000000001526000-memory.dmp

Filesize
17.1MB

Download
memory/568-74-0x0000000000400000-0x0000000001526000-memory.dmp

Filesize
17.1MB

Download
memory/1148-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1148-70-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1148-85-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1148-55-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2008-71-0x0000000002E10000-0x0000000003F36000-memory.dmp

Filesize
17.1MB

Download