gcleaner | 8123a9be56fc060e23f0e5300c0d5a8661db98cc7cdcab6c5f40fbc054fa51c9

General

Target

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
Size

286KB
MD5

c2b789418aac48cba417fb716c3fd796
SHA1

3288dfa064922855033d35fcff773dc1a03e4ff6
SHA256

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e
SHA512

ae8c7d90de615b6ed54c37daafbf8828e48f158a8bd700fc0353b794bc5e0aca921593c5b645c125adea548e91a4da69e4be81083cd0a16dcc0d242cbfa3268c
SSDEEP

6144:ofkEUIzKUzqKjPvwIpUKSCNxDGD1BmH8d8xXj:ofkT29zqKjI0S4AeASXj

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1660	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
3584	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
3336	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
4160	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
320	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
1476	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
4120	4760	WerFault.exe	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3800 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3800 taskkill.exe

pid	process
3800	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3800	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 4516	4760	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 4760 wrote to memory of 4516	4760	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 4760 wrote to memory of 4516	4760	8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe	cmd.exe
PID 4516 wrote to memory of 3800	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 3800	4516	cmd.exe	taskkill.exe
PID 4516 wrote to memory of 3800	4516	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe
"C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 740
  2⤵
  - Program crash
  PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 780
  2⤵
  - Program crash
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 784
  2⤵
  - Program crash
  PID:3336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 792
  2⤵
  - Program crash
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 940
  2⤵
  - Program crash
  PID:320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 968
  2⤵
  - Program crash
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "8b98ab7c2c0c1b05603f3e9c580c0f71e9f6737f3d5a99d4777d945b14d1e67e.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 764
  2⤵
  - Program crash
  PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4760 -ip 4760
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4760 -ip 4760
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4760 -ip 4760
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4760 -ip 4760
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4760 -ip 4760
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4760 -ip 4760
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4760 -ip 4760
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4760-134-0x00000000006F0000-0x0000000000730000-memory.dmp

Filesize
256KB

Download
memory/4760-135-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads