gcleaner | 9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3

General

Target

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe
Size

2.2MB
MD5

164ae80d86d7e06bd0aa30ebf8ee0347
SHA1

c1e4f717b6f2d05b416007972de212b2139db73f
SHA256

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3
SHA512

df717a7b9269aefe7b141459dbbb4206e769e967dde9aa8597b3b3cc94ac0cd3d52d7d93732d9f90f52f0e922a0a7017c357a2ac9173a76fc5a40ce461b04b48
SSDEEP

49152:32ALLiNVZI1Yr98vgJxO2/+T2ArTXrELV3Y11Ag:mALLiN7HbZy2ArTXQLVo1+

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Executes dropped EXE 3 IoCs

Processes:

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmpLitFiles133.exeTuO3f.exe

pid process

3360 9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
4656 LitFiles133.exe
2112 TuO3f.exe
Loads dropped DLL 1 IoCs

Processes:

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp

pid process

3360 9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3360	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
4656	LitFiles133.exe
2112	TuO3f.exe

pid	process
3360	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp

Drops file in Program Files directory 17 IoCs

Processes:

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp

description	ioc	process
File created	C:\Program Files (x86)\Split Files\is-Q3M4C.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\is-PAJV9.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\is-SC29T.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-8U4DG.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-K9NOO.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\is-671PG.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File opened for modification	C:\Program Files (x86)\Split Files\LitFiles133.exe	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-PLHL4.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-BS90F.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-7C6P3.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-D4DVF.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-7CNT8.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-LRV0Q.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-U5UNF.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
File created	C:\Program Files (x86)\Split Files\is-NKJ30.tmp	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

LitFiles133.exe

pid process

4656 LitFiles133.exe
4656 LitFiles133.exe
4656 LitFiles133.exe
4656 LitFiles133.exe
4656 LitFiles133.exe
4656 LitFiles133.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LitFiles133.exe

pid process

4656 LitFiles133.exe

pid	process
4656	LitFiles133.exe
4656	LitFiles133.exe
4656	LitFiles133.exe
4656	LitFiles133.exe
4656	LitFiles133.exe
4656	LitFiles133.exe

pid	process
4656	LitFiles133.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmpLitFiles133.exe

description	pid	process	target process
PID 4916 wrote to memory of 3360	4916	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
PID 4916 wrote to memory of 3360	4916	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
PID 4916 wrote to memory of 3360	4916	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
PID 3360 wrote to memory of 4656	3360	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp	LitFiles133.exe
PID 3360 wrote to memory of 4656	3360	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp	LitFiles133.exe
PID 3360 wrote to memory of 4656	3360	9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp	LitFiles133.exe
PID 4656 wrote to memory of 2112	4656	LitFiles133.exe	TuO3f.exe
PID 4656 wrote to memory of 2112	4656	LitFiles133.exe	TuO3f.exe
PID 4656 wrote to memory of 2112	4656	LitFiles133.exe	TuO3f.exe

C:\Users\Admin\AppData\Local\Temp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe
"C:\Users\Admin\AppData\Local\Temp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\is-TJE70.tmp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TJE70.tmp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp" /SL5="$801C4,1731188,182784,C:\Users\Admin\AppData\Local\Temp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3360

C:\Program Files (x86)\Split Files\LitFiles133.exe
"C:\Program Files (x86)\Split Files\LitFiles133.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Roaming\{a9cfdea2-b1a1-11ed-9f68-806e6f6e6963}\TuO3f.exe
4⤵
- Executes dropped EXE
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\LitFiles133.exe
Filesize
3.2MB

MD5
9c353bc846e6383522abb6a6b6468f27

SHA1
5bad4cfefcad3103d2c20b2a7c7d2bfc983fb095

SHA256
cd187f445f870d8aeecc3a8638a956df26564b4dbdfe2bc7e4cadfb186a6f62f

SHA512
dd6ee1ef43afda5ae474f1c9632c1d6dc144aa74691f533ccfe7b4a655a971a9c169a23019f1c6f5df2e01bd0847c87d0f91f0fd5bbcfba41b2cb20621f70825

Download Submit
C:\Program Files (x86)\Split Files\LitFiles133.exe
Filesize
3.2MB

MD5
9c353bc846e6383522abb6a6b6468f27

SHA1
5bad4cfefcad3103d2c20b2a7c7d2bfc983fb095

SHA256
cd187f445f870d8aeecc3a8638a956df26564b4dbdfe2bc7e4cadfb186a6f62f

SHA512
dd6ee1ef43afda5ae474f1c9632c1d6dc144aa74691f533ccfe7b4a655a971a9c169a23019f1c6f5df2e01bd0847c87d0f91f0fd5bbcfba41b2cb20621f70825

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3O38K.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJE70.tmp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJE70.tmp\9002e4a7f0c6a57a0436aed44b2b7cd62cb36d402eb528df3cdede12d4f06df3.tmp
Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Roaming\{a9cfdea2-b1a1-11ed-9f68-806e6f6e6963}\TuO3f.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{a9cfdea2-b1a1-11ed-9f68-806e6f6e6963}\TuO3f.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/3360-150-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3360-189-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/4656-182-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/4656-183-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/4656-190-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/4916-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing