gcleaner | 5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031

General

Target

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe
Size

2.3MB
MD5

a0f4a77ee49c2e9e9ad9f90ce1c68e5e
SHA1

8d55c51c4746c1d58ddcce9d9edbb97317625496
SHA256

5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031
SHA512

c8fb35e6dd27f092788fa445fdf64b1ddd8a517a27b2c6f6d5648cc7557d688d75b266b9571af3fd85fc424ea90843c664061945dc249c346d03efc4a59fa418
SSDEEP

49152:32vLLYKdZze4nHpnGlIFTskVQrjtR2sH1N/XpCgH1pvq7LpTvYv57bRnXcpV3Y1H:mvLLYKdZrvokSH32iNXAgHrvqtARX0Vj

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Executes dropped EXE 3 IoCs

pid	Process
2092	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
312	LitFiles133.exe
3832	77JmePDyE.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Split Files\is-80LIC.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-2O3U8.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-MR07V.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-PPRU2.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-K0BKA.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\unins000.dat	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-PJD3S.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-5AMIB.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-FDQBT.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File opened for modification	C:\Program Files (x86)\Split Files\LitFiles133.exe	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-HQJ0M.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-1QU3P.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-9RS3R.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\is-VFN7C.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-VP51D.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
File created	C:\Program Files (x86)\Split Files\language\is-MQDSO.tmp	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
312	LitFiles133.exe
312	LitFiles133.exe
312	LitFiles133.exe
312	LitFiles133.exe
312	LitFiles133.exe
312	LitFiles133.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
312	LitFiles133.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2092	2324	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	84
PID 2324 wrote to memory of 2092	2324	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	84
PID 2324 wrote to memory of 2092	2324	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe	84
PID 2092 wrote to memory of 312	2092	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	85
PID 2092 wrote to memory of 312	2092	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	85
PID 2092 wrote to memory of 312	2092	5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp	85
PID 312 wrote to memory of 3832	312	LitFiles133.exe	89
PID 312 wrote to memory of 3832	312	LitFiles133.exe	89
PID 312 wrote to memory of 3832	312	LitFiles133.exe	89

C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe
"C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\is-A095R.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A095R.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp" /SL5="$B0052,1745942,182784,C:\Users\Admin\AppData\Local\Temp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Program Files (x86)\Split Files\LitFiles133.exe
    "C:\Program Files (x86)\Split Files\LitFiles133.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Users\Admin\AppData\Roaming\{1877acc0-b1d5-11ed-8218-806e6f6e6963}\77JmePDyE.exe
      4⤵
      Executes dropped EXE
      PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.2MB

MD5
947756eeeea1163cc7ee5ead79374c4e

SHA1
abd235f822b6170a252f5bc6f24cb3924d7530ba

SHA256
657b13fabbb83ecf4a262c35be5de43772cc940488dd61af1eab2b88100dced7

SHA512
2dbb400619d605ed73fd0f3b034400496842f19261b6ddca59c79ec9006f1edfe4d40e45cce54f096aa06ec9f2d6f6c73df8d774d558948e7bb4a44e6dbd8b48

Download Submit
C:\Program Files (x86)\Split Files\LitFiles133.exe

Filesize
3.2MB

MD5
947756eeeea1163cc7ee5ead79374c4e

SHA1
abd235f822b6170a252f5bc6f24cb3924d7530ba

SHA256
657b13fabbb83ecf4a262c35be5de43772cc940488dd61af1eab2b88100dced7

SHA512
2dbb400619d605ed73fd0f3b034400496842f19261b6ddca59c79ec9006f1edfe4d40e45cce54f096aa06ec9f2d6f6c73df8d774d558948e7bb4a44e6dbd8b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IA4A.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A095R.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A095R.tmp\5ab5bb513b1635c2bf521c9137117b82edf062ba9aa61b9436fcc62f48291031.tmp

Filesize
820KB

MD5
c918c18c921ab538c31033c0a4478e51

SHA1
cc468af59f91bac824f994361d20c90edddf0604

SHA256
9c5872756fa6fb90c382f47a7d768237fad13c4464f0fe0996808c79ffc56e60

SHA512
fc9ced5ab7dfafc794606faf5ac426af67361ef3c30fbb6fd993c77abf2ee15cfd86f9913c89b0f36afa4b7decc748418ab18c4b72a1d885b0e8b1ab71d27c6b

Download Submit
C:\Users\Admin\AppData\Roaming\{1877acc0-b1d5-11ed-8218-806e6f6e6963}\77JmePDyE.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{1877acc0-b1d5-11ed-8218-806e6f6e6963}\77JmePDyE.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/312-182-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/312-189-0x0000000000400000-0x0000000001532000-memory.dmp

Filesize
17.2MB

Download
memory/2092-148-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-188-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2092-190-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2324-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing