Overview

overview

10

Static

static

1

9c48e1bb55...7e.exe

windows7-x64

10

9c48e1bb55...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2023 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe

  • Size

    274KB

  • MD5

    7ebea2e3a1e5ae3bc8e224d206bc6f93

  • SHA1

    6901a26caeb04f7a85965fef96453078d00114e4

  • SHA256

    9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e

  • SHA512

    f0c2b7f21e20afd28a9528e4b57fecc1e62a1de47a4bf762d438a4b3991ac9d4c66ae07032d2fa92df37def94a72aa293e62f8d5f85dca064180895db84bda7e

  • SSDEEP

    6144:u8wLvRMLefcHC+zuMg8KVmOxJRcPsAFDOI9RtyAZcQ2L:yaLefcHuMZTgM3OgBZcQ

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe
    "C:\Users\Admin\AppData\Local\Temp\9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 452
      2⤵
      • Program crash
      PID:4004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 772
      2⤵
      • Program crash
      PID:4212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 780
      2⤵
      • Program crash
      PID:928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 780
      2⤵
      • Program crash
      PID:1624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 792
      2⤵
      • Program crash
      PID:4044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 928
      2⤵
      • Program crash
      PID:4080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 976
      2⤵
      • Program crash
      PID:3844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1360
      2⤵
      • Program crash
      PID:3432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "9c48e1bb555bbb98d635146b5098f1fda8753eade8479c079a14a5a1887fde7e.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 532
      2⤵
      • Program crash
      PID:1668
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2080 -ip 2080
    1⤵
      PID:3416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2080 -ip 2080
      1⤵
        PID:3576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2080 -ip 2080
        1⤵
          PID:2704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2080 -ip 2080
          1⤵
            PID:3532
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2080 -ip 2080
            1⤵
              PID:4508
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2080 -ip 2080
              1⤵
                PID:2512
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2080 -ip 2080
                1⤵
                  PID:4120
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2080 -ip 2080
                  1⤵
                    PID:3352
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2080 -ip 2080
                    1⤵
                      PID:3928

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2080-134-0x00000000023C0000-0x0000000002400000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/2080-136-0x0000000000400000-0x0000000000627000-memory.dmp

                      Filesize

                      2.2MB

                      Download