gcleaner | 3ffcec5986af1570ad016c8131cbf09bcc2158d7e1c5f70d7828b1d0effd09c4

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe
Size

395KB
MD5

32b85e5061a27630ddea16c0d4f3f9a0
SHA1

821e6ab0fe1fe841cf9ba24b3fc838846b4785f4
SHA256

3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18
SHA512

b2c52fb67df7b28e15c24a25fca350057ca7aa9bb3fed3dd67cebe60a8b73f640de0ddea8057ec54aeddb28746e01799d13b79d860b788420aff66b851e09246
SSDEEP

6144:WkcteyLKfKtUdaXSc1l5JPIv5VR+ExfFtzM0sRQGHRbpLje1atpBYQW:WkjyWfKt5l5og4F20sXxbljaatUQW

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1804 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1524 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1524 taskkill.exe

pid	process
1804	cmd.exe

pid	process
1524	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1524	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.execmd.exe

description	pid	process	target process
PID 760 wrote to memory of 1804	760	3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe	cmd.exe
PID 760 wrote to memory of 1804	760	3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe	cmd.exe
PID 760 wrote to memory of 1804	760	3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe	cmd.exe
PID 760 wrote to memory of 1804	760	3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe	cmd.exe
PID 1804 wrote to memory of 1524	1804	cmd.exe	taskkill.exe
PID 1804 wrote to memory of 1524	1804	cmd.exe	taskkill.exe
PID 1804 wrote to memory of 1524	1804	cmd.exe	taskkill.exe
PID 1804 wrote to memory of 1524	1804	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe
"C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3d5fafa9b49865b274fb47abbdd087cf9617003e56b27501292f535bf2f0cb18.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-55-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/760-56-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download