gcleaner | ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c

General

Target

ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe
Size

2.3MB
MD5

147470c2d317cdce99dda6f9124637f6
SHA1

8b3dfb3cf431c4c65a5b272538bfbbbb68d5ea5e
SHA256

ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c
SHA512

f48cb2af88e77b6f102fc8ae6c52ce9c992c76610d604c243deaf57a164a59c15c12d022b44ec06cbac7ed9f13716f7871b8d040526b491838d1d73b65d22b98
SSDEEP

49152:32ULLff6Pbvr3H3K9SZ+REUCIQJBPne2g4evycV3Y11k:mULLffsbvLK8ZHIWe2RevycVo1+

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Executes dropped EXE 3 IoCs

pid	Process
4892	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
3992	LitFiles133.exe
2096	TuO3f.exe

Loads dropped DLL 1 IoCs

pid	Process
4892	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Split Files\language\is-C0EB2.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-KCT2Q.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-NG6GK.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\is-64HDH.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\is-HS6IJ.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File opened for modification	C:\Program Files (x86)\Split Files\LitFiles133.exe	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\is-KO353.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-IQBQS.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-NBNNA.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\is-UG1DV.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-PHGFN.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\is-94S3C.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-V69VH.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-SF90P.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
File created	C:\Program Files (x86)\Split Files\language\is-M8RR1.tmp	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3992	LitFiles133.exe
3992	LitFiles133.exe
3992	LitFiles133.exe
3992	LitFiles133.exe
3992	LitFiles133.exe
3992	LitFiles133.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3992	LitFiles133.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4892	232	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe	85
PID 232 wrote to memory of 4892	232	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe	85
PID 232 wrote to memory of 4892	232	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe	85
PID 4892 wrote to memory of 3992	4892	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp	86
PID 4892 wrote to memory of 3992	4892	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp	86
PID 4892 wrote to memory of 3992	4892	ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp	86
PID 3992 wrote to memory of 2096	3992	LitFiles133.exe	87
PID 3992 wrote to memory of 2096	3992	LitFiles133.exe	87
PID 3992 wrote to memory of 2096	3992	LitFiles133.exe	87

C:\Users\Admin\AppData\Local\Temp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe
"C:\Users\Admin\AppData\Local\Temp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\is-HUJS3.tmp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HUJS3.tmp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp" /SL5="$80050,1893941,182784,C:\Users\Admin\AppData\Local\Temp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Program Files (x86)\Split Files\LitFiles133.exe
    "C:\Program Files (x86)\Split Files\LitFiles133.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\TuO3f.exe
      4⤵
      Executes dropped EXE
      PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.4MB

MD5
9a71e721fcbc43ab3b8cc23dca8d045c

SHA1
5744f90027ea9af42f6d1bfa8093f175680f5542

SHA256
b9c6ffc09c570f158e678fa1b58a315dc613ec9aef06279dde5d8bbe8422bd20

SHA512
dba609cd5592dbdcfa7dead393e347c52440066c7f89e856a58889146a78dfee986940fa4de91fcb9c1a400d3e6ddd2c1440d169f61cacc2ab1f089949691cc7

Download Submit
C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.4MB

MD5
9a71e721fcbc43ab3b8cc23dca8d045c

SHA1
5744f90027ea9af42f6d1bfa8093f175680f5542

SHA256
b9c6ffc09c570f158e678fa1b58a315dc613ec9aef06279dde5d8bbe8422bd20

SHA512
dba609cd5592dbdcfa7dead393e347c52440066c7f89e856a58889146a78dfee986940fa4de91fcb9c1a400d3e6ddd2c1440d169f61cacc2ab1f089949691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-69CP9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HUJS3.tmp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HUJS3.tmp\ff9e867f3592358278ec211303fc25157961b4d9d6ce0c20ddbd8d13691d2f6c.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\TuO3f.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\TuO3f.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/232-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-183-0x0000000000400000-0x0000000001564000-memory.dmp

Filesize
17.4MB

Download
memory/3992-182-0x0000000000400000-0x0000000001564000-memory.dmp

Filesize
17.4MB

Download
memory/3992-190-0x0000000000400000-0x0000000001564000-memory.dmp

Filesize
17.4MB

Download
memory/4892-148-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4892-189-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing