Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
11-03-2023 15:46
General
-
Target
94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe
-
Size
280KB
-
MD5
b5d2845d8527d553115463d631b1702d
-
SHA1
b63b39d1b3d2f477f965b460ebc05e765450723c
-
SHA256
94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76
-
SHA512
08fc0ba5967ecc8ff3b4442d59666913b0b704d8e172d34545ac6afcb9b041f93e30f807dd240d6baa76fc2ba56c2a825e6d27bbb755c0cffb841878d2174b08
-
SSDEEP
6144:ZOLRv3eI/62feWK3az1MbbhOXXASgyA591:k9vf62fS3MSbgndS
Score
10/10
Malware Config
Extracted
Family
gcleaner
C2
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe"C:\Users\Admin\AppData\Local\Temp\94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "94551b68fcb65d49a5d1d29a0dba5ec3f2e98252fef337a4fba2416ecb8cea76.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
-
Filesize
256KB