gcleaner | c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3

General

Target

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe
Size

2.0MB
MD5

c46b7303472b5aaf444c210138079f49
SHA1

08786e730e7534c8cd6c2b46fc5a5b010b61cccc
SHA256

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3
SHA512

22488e2bca53721622e05b5a8b2315f7b4d9c370f6f90ec080ef3663bffe40be34a7d72f9f88c9ad9c248b67ca06f640c4d9920328ff22c8d02c6b839b27267b
SSDEEP

49152:B23LLyd9mRi0cqgdM1GqnW7ae9JXWkd31E6pJ43OtBV3Y11P0:E3LLyd98i7qgdM1oeezr1E6H9tBVo11

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Executes dropped EXE 3 IoCs

Processes:

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmpLitFiles133.exeePok07hAxhlmS.exe

pid process

2212 c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
180 LitFiles133.exe
4308 ePok07hAxhlmS.exe
Loads dropped DLL 1 IoCs

Processes:

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

pid process

2212 c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2212	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
180	LitFiles133.exe
4308	ePok07hAxhlmS.exe

pid	process
2212	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

Drops file in Program Files directory 17 IoCs

Processes:

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

description	ioc	process
File created	C:\Program Files (x86)\Split Files\language\is-QCT1C.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\is-1HNEG.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-JJPLA.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\is-C4DL5.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-2AS34.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-8BP2S.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\is-4F92H.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-BGJ4B.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\is-0EJQ5.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File opened for modification	C:\Program Files (x86)\Split Files\LitFiles133.exe	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\is-SP7KF.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-PJUFE.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-9TJED.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-JUKMH.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
File created	C:\Program Files (x86)\Split Files\language\is-FD4JU.tmp	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

LitFiles133.exe

pid process

180 LitFiles133.exe
180 LitFiles133.exe
180 LitFiles133.exe
180 LitFiles133.exe
180 LitFiles133.exe
180 LitFiles133.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LitFiles133.exe

pid process

180 LitFiles133.exe

pid	process
180	LitFiles133.exe
180	LitFiles133.exe
180	LitFiles133.exe
180	LitFiles133.exe
180	LitFiles133.exe
180	LitFiles133.exe

pid	process
180	LitFiles133.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exec083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmpLitFiles133.exe

description	pid	process	target process
PID 3184 wrote to memory of 2212	3184	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
PID 3184 wrote to memory of 2212	3184	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
PID 3184 wrote to memory of 2212	3184	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
PID 2212 wrote to memory of 180	2212	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp	LitFiles133.exe
PID 2212 wrote to memory of 180	2212	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp	LitFiles133.exe
PID 2212 wrote to memory of 180	2212	c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp	LitFiles133.exe
PID 180 wrote to memory of 4308	180	LitFiles133.exe	ePok07hAxhlmS.exe
PID 180 wrote to memory of 4308	180	LitFiles133.exe	ePok07hAxhlmS.exe
PID 180 wrote to memory of 4308	180	LitFiles133.exe	ePok07hAxhlmS.exe

C:\Users\Admin\AppData\Local\Temp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe
"C:\Users\Admin\AppData\Local\Temp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\is-KM2LU.tmp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KM2LU.tmp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp" /SL5="$A0050,1733667,182784,C:\Users\Admin\AppData\Local\Temp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Split Files\LitFiles133.exe
    "C:\Program Files (x86)\Split Files\LitFiles133.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:180
  - - C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\ePok07hAxhlmS.exe
      4⤵
      Executes dropped EXE
      PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.2MB

MD5
d9bd4ff6a2fffa64d20fead062d1d3b4

SHA1
0defe88417dff079750863307b33fe1926e9a33d

SHA256
f06372070f6b544747e00dae45d0d01af67c4f4b9aa82c0d1518a44714c4c248

SHA512
c9a93ab4d119b9f3b9f8227821253d746ebc93a97df6bf56b45c1b00a58027f63f86866f3ffa3ad1e00a774295155d962d20b68e9fe868a61c617771f2da16d2

Download Submit
C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.2MB

MD5
d9bd4ff6a2fffa64d20fead062d1d3b4

SHA1
0defe88417dff079750863307b33fe1926e9a33d

SHA256
f06372070f6b544747e00dae45d0d01af67c4f4b9aa82c0d1518a44714c4c248

SHA512
c9a93ab4d119b9f3b9f8227821253d746ebc93a97df6bf56b45c1b00a58027f63f86866f3ffa3ad1e00a774295155d962d20b68e9fe868a61c617771f2da16d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KM2LU.tmp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KM2LU.tmp\c083228d34758c9cef968fe6f448f230ae5cabf273ae22508a5c8810208034c3.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PURNB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\ePok07hAxhlmS.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{7f74da3b-b191-11ed-abe8-806e6f6e6963}\ePok07hAxhlmS.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/180-183-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/180-184-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/180-191-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/2212-151-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2212-190-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3184-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3184-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing