gcleaner | 621f05c3a5bc27def35adf4d0503b2f5019db2f2b72a0452c9a14850c4495779

Analysis

max time kernel
25s
max time network
28s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ecec283adcd319326f271ed5a79638a.exe
Size

292KB
MD5

2ecec283adcd319326f271ed5a79638a
SHA1

e66e5423dd5855fcb95c6f813cc05e23004b5e1f
SHA256

621f05c3a5bc27def35adf4d0503b2f5019db2f2b72a0452c9a14850c4495779
SHA512

ff820293d62f6633e2bbaf53c757ec1d6bf5907057db86ce31c1c6f11b2e55af507aa1464dae05c4abc43fb0f655d1a175465251e104c39c0b0b7928c9452fe2
SSDEEP

6144:r1o2tWGS1EyPyJdk/ZQORtHV7qJnj8Zw8QN:raAWgyPGd+iJ4K8Q

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

528 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

976 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 976 taskkill.exe

pid	process
528	cmd.exe

pid	process
976	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	976	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2ecec283adcd319326f271ed5a79638a.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 528	1604	2ecec283adcd319326f271ed5a79638a.exe	cmd.exe
PID 1604 wrote to memory of 528	1604	2ecec283adcd319326f271ed5a79638a.exe	cmd.exe
PID 1604 wrote to memory of 528	1604	2ecec283adcd319326f271ed5a79638a.exe	cmd.exe
PID 1604 wrote to memory of 528	1604	2ecec283adcd319326f271ed5a79638a.exe	cmd.exe
PID 528 wrote to memory of 976	528	cmd.exe	taskkill.exe
PID 528 wrote to memory of 976	528	cmd.exe	taskkill.exe
PID 528 wrote to memory of 976	528	cmd.exe	taskkill.exe
PID 528 wrote to memory of 976	528	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\2ecec283adcd319326f271ed5a79638a.exe
"C:\Users\Admin\AppData\Local\Temp\2ecec283adcd319326f271ed5a79638a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "2ecec283adcd319326f271ed5a79638a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2ecec283adcd319326f271ed5a79638a.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "2ecec283adcd319326f271ed5a79638a.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-55-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1604-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1604-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download