gcleaner | 5005631fe75e522c6cf19982716ddbcfb13f5d3ce6e27704da7bfa3b1adbda3c

General

Target

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
Size

270KB
MD5

0e64802a39def8b062a90ac724456d44
SHA1

7745f11285f663d01c01bfb55e230f7a871e7f52
SHA256

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5
SHA512

1d684bc2de3bae0b50e3fd15dd3824e40ae5ee22c6983378c76f06d248f77d2dc231eb04ce5f880db400ea7b54da4914491df2d4006f18b89fcfaa3b1b947906
SSDEEP

6144:l6GXXyJP2yz6cWUcoKBPnjoc8vO+Tn849:gqCJP2ylWn9jmLr

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3084	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
3712	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
228	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
4760	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
3612	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
904	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
5068	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
3876	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
1804	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
1036	4924	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4832 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4832 taskkill.exe

pid	process
4832	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4832	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.execmd.exe

description	pid	process	target process
PID 4924 wrote to memory of 2852	4924	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 4924 wrote to memory of 2852	4924	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 4924 wrote to memory of 2852	4924	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 2852 wrote to memory of 4832	2852	cmd.exe	taskkill.exe
PID 2852 wrote to memory of 4832	2852	cmd.exe	taskkill.exe
PID 2852 wrote to memory of 4832	2852	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
"C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 456
  2⤵
  - Program crash
  PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 764
  2⤵
  - Program crash
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 784
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 784
  2⤵
  - Program crash
  PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 816
  2⤵
  - Program crash
  PID:3612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 928
  2⤵
  - Program crash
  PID:904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 976
  2⤵
  - Program crash
  PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1072
  2⤵
  - Program crash
  PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1384
  2⤵
  - Program crash
  PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1308
  2⤵
  - Program crash
  PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4924 -ip 4924
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4924 -ip 4924
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4924 -ip 4924
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4924 -ip 4924
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4924 -ip 4924
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4924 -ip 4924
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4924 -ip 4924
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4924 -ip 4924
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4924 -ip 4924
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4924 -ip 4924
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4924-134-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/4924-136-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads