Analysis
-
max time kernel
81s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23-03-2023 00:40
General
-
Target
0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe
-
Size
274KB
-
MD5
fc9d6c44a166ea2f7f93de619b904481
-
SHA1
e47a116cf55e7f3dbb141f0dc4b6c75875fec38a
-
SHA256
0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b
-
SHA512
4a60cc0a48f6ec442e6244d9b1a488b6644e250f726631dab286470eee80ccc5f86296abcbacdda233d4f7dbc24973fd8e1476ad302dba21c2302bc9c8a72cf2
-
SSDEEP
6144:QgnrhUFa2TGI5Z6p+F8duWDHoGjiXECnrSenXJ0v:Qgnr/2TGI5Z6pjEWSBneen5u
Score
10/10
Malware Config
Extracted
Family
gcleaner
C2
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 37 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe"C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 4522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 7642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 9282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 10042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 10362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 13642⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "0bae28922ad0fc2e5d92b6bf45fd23efb20c2639fafef7bcb0e12b642e2a9f5b.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 14882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1452 -ip 14521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1452 -ip 14521⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1452-134-0x00000000022E0000-0x0000000002320000-memory.dmpFilesize
256KB
-
memory/1452-135-0x0000000000400000-0x0000000000588000-memory.dmpFilesize
1.5MB
-
memory/1452-137-0x00000000022E0000-0x0000000002320000-memory.dmpFilesize
256KB
-
memory/1452-138-0x0000000000400000-0x0000000000588000-memory.dmpFilesize
1.5MB
-
memory/3008-139-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-140-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-141-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-145-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-146-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-147-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-150-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-149-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-148-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB
-
memory/3008-151-0x000001982B9C0000-0x000001982B9C1000-memory.dmpFilesize
4KB