gcleaner | 5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-03-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe
Size

2.3MB
MD5

a0f4a77ee49c2e9e9ad9f90ce1c68e5e
SHA1

8d55c51c4746c1d58ddcce9d9edbb97317625496
SHA256

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031
SHA512

c8fb35e6dd27f092788fa445fdf64b1ddd8a517a27b2c6f6d5648cc7557d688d75b266b9571af3fd85fc424ea90843c664061945dc249c346d03efc4a59fa418
SSDEEP

49152:32vLLYKdZze4nHpnGlIFTskVQrjtR2sH1N/XpCgH1pvq7LpTvYv57bRnXcpV3Y1H:mvLLYKdZrvokSH32iNXAgHrvqtARX0Vj

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Executes dropped EXE 3 IoCs

Processes:

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmpLitFiles133.exepFkW9hoE.exe

pid process

1896 5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1420 LitFiles133.exe
1796 pFkW9hoE.exe

pid	process
1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1420	LitFiles133.exe
1796	pFkW9hoE.exe

Loads dropped DLL 6 IoCs

Processes:

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmpLitFiles133.exe

pid	process
1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe
1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
1420	LitFiles133.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

Processes:

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

description	ioc	process
File created	C:\Program Files (x86)\Split Files\is-GV7JT.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-0R84A.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-LR7JJ.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-7RABE.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-9J33S.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-NV85M.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-7DQAS.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-UM8S1.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-HDT8P.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-2BEKR.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File opened for modification	C:\Program Files (x86)\Split Files\LitFiles133.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-OO0JM.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-CG1QU.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-J1TGU.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-G6LCB.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

LitFiles133.exe

pid process

1420 LitFiles133.exe
1420 LitFiles133.exe
1420 LitFiles133.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LitFiles133.exe

pid process

1420 LitFiles133.exe

pid	process
1420	LitFiles133.exe
1420	LitFiles133.exe
1420	LitFiles133.exe

pid	process
1420	LitFiles133.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmpLitFiles133.exe

description	pid	process	target process
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1580 wrote to memory of 1896	1580	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
PID 1896 wrote to memory of 1420	1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	LitFiles133.exe
PID 1896 wrote to memory of 1420	1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	LitFiles133.exe
PID 1896 wrote to memory of 1420	1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	LitFiles133.exe
PID 1896 wrote to memory of 1420	1896	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	LitFiles133.exe
PID 1420 wrote to memory of 1796	1420	LitFiles133.exe	pFkW9hoE.exe
PID 1420 wrote to memory of 1796	1420	LitFiles133.exe	pFkW9hoE.exe
PID 1420 wrote to memory of 1796	1420	LitFiles133.exe	pFkW9hoE.exe
PID 1420 wrote to memory of 1796	1420	LitFiles133.exe	pFkW9hoE.exe

C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe
"C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\is-E3HEO.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E3HEO.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp" /SL5="$8014E,1745942,182784,C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1896

C:\Program Files (x86)\Split Files\LitFiles133.exe
"C:\Program Files (x86)\Split Files\LitFiles133.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\pFkW9hoE.exe
4⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\LitFiles133.exe
Filesize
3.2MB

MD5
947756eeeea1163cc7ee5ead79374c4e

SHA1
abd235f822b6170a252f5bc6f24cb3924d7530ba

SHA256
657b13fabbb83ecf4a262c35be5de43772cc940488dd61af1eab2b88100dced7

SHA512
2dbb400619d605ed73fd0f3b034400496842f19261b6ddca59c79ec9006f1edfe4d40e45cce54f096aa06ec9f2d6f6c73df8d774d558948e7bb4a44e6dbd8b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E3HEO.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E3HEO.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\pFkW9hoE.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Program Files (x86)\Split Files\LitFiles133.exe
Filesize
3.2MB

MD5
947756eeeea1163cc7ee5ead79374c4e

SHA1
abd235f822b6170a252f5bc6f24cb3924d7530ba

SHA256
657b13fabbb83ecf4a262c35be5de43772cc940488dd61af1eab2b88100dced7

SHA512
2dbb400619d605ed73fd0f3b034400496842f19261b6ddca59c79ec9006f1edfe4d40e45cce54f096aa06ec9f2d6f6c73df8d774d558948e7bb4a44e6dbd8b48

Download Submit
\Users\Admin\AppData\Local\Temp\is-E3HEO.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-QD89T.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-QD89T.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-QD89T.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\pFkW9hoE.exe
Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1420-112-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/1420-108-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/1420-111-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/1420-119-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/1580-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-110-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1896-107-0x0000000003630000-0x0000000004762000-memory.dmp

Filesize
17.2MB

Download
memory/1896-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1896-118-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download