gcleaner | 8123a9be56fc060e23f0e5300c0d5a8661db98cc7cdcab6c5f40fbc054fa51c9

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
Size

286KB
MD5

c2b789418aac48cba417fb716c3fd796
SHA1

3288dfa064922855033d35fcff773dc1a03e4ff6
SHA256

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
SHA512

ae8c7d90de615b6ed54c37daafbf8828e48f158a8bd700fc0353b794bc5e0aca921593c5b645c125adea548e91a4da69e4be81083cd0a16dcc0d242cbfa3268c
SSDEEP

6144:ofkEUIzKUzqKjPvwIpUKSCNxDGD1BmH8d8xXj:ofkT29zqKjI0S4AeASXj

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1700 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1640 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1640 taskkill.exe

pid	process
1700	cmd.exe

pid	process
1640	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1640	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.execmd.exe

description	pid	process	target process
PID 1476 wrote to memory of 1700	1476	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 1476 wrote to memory of 1700	1476	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 1476 wrote to memory of 1700	1476	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 1476 wrote to memory of 1700	1476	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 1700 wrote to memory of 1640	1700	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 1640	1700	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 1640	1700	cmd.exe	taskkill.exe
PID 1700 wrote to memory of 1640	1700	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
"C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-55-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1476-56-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download