gcleaner | a8e677e8d7daeb7a36f47f034b38af0667fc72c8674290fad047ae89b760d32d

General

Target

42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
Size

312KB
MD5

ae3afa452244676d55392d13204a9f67
SHA1

cbfb355b8cb2aad2ddeded588358491083bb2306
SHA256

42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282
SHA512

c6b2b5f5587fa78dba3f500e31e353f2fb28056ce4e031f377f4c4af7d6a9e8a1b548025954ed0c1b181f326003090e459b8c298416c136a3b8ebf3ec1cbc97d
SSDEEP

6144:q6xqXIQqjW59PnLC4NjserDQjwHgb8D7mpjY0GU:1oXIQqjsNnLC4NjXUqm8

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3196	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
2084	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
3104	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
1348	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
1008	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
1852	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
2396	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
3076	2196	WerFault.exe	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1108 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1108 taskkill.exe

pid	process
1108	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1108	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 5088	2196	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe	cmd.exe
PID 2196 wrote to memory of 5088	2196	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe	cmd.exe
PID 2196 wrote to memory of 5088	2196	42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe	cmd.exe
PID 5088 wrote to memory of 1108	5088	cmd.exe	taskkill.exe
PID 5088 wrote to memory of 1108	5088	cmd.exe	taskkill.exe
PID 5088 wrote to memory of 1108	5088	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe
"C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 692
2⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 764
2⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 920
2⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 784
2⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 920
2⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 948
2⤵
- Program crash
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 952
2⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "42e18100bc58d37f07f0c678a2a425dc4c1988f6a86cff80c456301789d58282.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 976
2⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2196 -ip 2196
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2196 -ip 2196
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2196 -ip 2196
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2196 -ip 2196
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2196 -ip 2196
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2196 -ip 2196
1⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-134-0x0000000000660000-0x00000000006A0000-memory.dmp

Filesize
256KB

Download
memory/2196-135-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads