gcleaner | d99a96df8ae80f5de78dd165b9e595233f51e06df8e30bba5229e4b8d04a6a60

General

Target

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
Size

270KB
MD5

0e64802a39def8b062a90ac724456d44
SHA1

7745f11285f663d01c01bfb55e230f7a871e7f52
SHA256

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5
SHA512

1d684bc2de3bae0b50e3fd15dd3824e40ae5ee22c6983378c76f06d248f77d2dc231eb04ce5f880db400ea7b54da4914491df2d4006f18b89fcfaa3b1b947906
SSDEEP

6144:l6GXXyJP2yz6cWUcoKBPnjoc8vO+Tn849:gqCJP2ylWn9jmLr

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{DF78815A-3BFB-4A40-BAF6-AB7D7680F2C2}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{778FAB00-3C5A-4381-A7A4-DB098F0D92CA}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3392	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
4732	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
4100	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
2144	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
2252	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
1116	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
5080	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
4500	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
4768	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
3848	3876	WerFault.exe	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4916 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4916 taskkill.exe

pid	process
4916	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4916	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.execmd.exe

description	pid	process	target process
PID 3876 wrote to memory of 4612	3876	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 3876 wrote to memory of 4612	3876	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 3876 wrote to memory of 4612	3876	3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe	cmd.exe
PID 4612 wrote to memory of 4916	4612	cmd.exe	taskkill.exe
PID 4612 wrote to memory of 4916	4612	cmd.exe	taskkill.exe
PID 4612 wrote to memory of 4916	4612	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe
"C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 448
  2⤵
  - Program crash
  PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 764
  2⤵
  - Program crash
  PID:4732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 764
  2⤵
  - Program crash
  PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 764
  2⤵
  - Program crash
  PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 856
  2⤵
  - Program crash
  PID:2252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 932
  2⤵
  - Program crash
  PID:1116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1004
  2⤵
  - Program crash
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1048
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1356
  2⤵
  - Program crash
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "3aa97a5e2d24316daca7529266216886cf888b6643b77c1e6c51ea42600e61c5.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1480
  2⤵
  - Program crash
  PID:3848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3876 -ip 3876
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3876 -ip 3876
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3876 -ip 3876
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3876 -ip 3876
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3876 -ip 3876
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3876 -ip 3876
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3876 -ip 3876
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3876 -ip 3876
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3876 -ip 3876
1⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3876 -ip 3876
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu9BF.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
memory/3876-134-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/3876-138-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads