Overview

overview

10

Static

static

1

0bae28922a...5b.exe

windows7-x64

10

0bae28922a...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2023, 15:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe

  • Size

    274KB

  • MD5

    fc9d6c44a166ea2f7f93de619b904481

  • SHA1

    e47a116cf55e7f3dbb141f0dc4b6c75875fec38a

  • SHA256

    0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b

  • SHA512

    4a60cc0a48f6ec442e6244d9b1a488b6644e250f726631dab286470eee80ccc5f86296abcbacdda233d4f7dbc24973fd8e1476ad302dba21c2302bc9c8a72cf2

  • SSDEEP

    6144:QgnrhUFa2TGI5Z6p+F8duWDHoGjiXECnrSenXJ0v:Qgnr/2TGI5Z6pjEWSBneen5u

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe
    "C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:336
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1852

Network

  • flag-nl
    GET
    http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixkis
    0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe
    Remote address:
    45.12.253.56:80
    Request
    GET /advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixkis HTTP/1.1
    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
    User-Agent: OK
    Host: 45.12.253.56
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 11 Mar 2023 15:47:26 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Content-Length: 1
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 45.12.253.56:80
    http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixkis
    http
    0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe
    619 B
     336 B
     4
    3

    HTTP Request

    GET http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixkis

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/336-55-0x00000000002B0000-0x00000000002F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/336-57-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.