gcleaner | 53828b4c45798c42a15c42d20cf65a705ec534e28ec86cc5d6312afb2d0a7e9d

Analysis

max time kernel
51s
max time network
178s
platform
windows10-1703_x64
resource
win10-20230220-it
resource tags

arch:x64arch:x86image:win10-20230220-itlocale:it-itos:windows10-1703-x64systemwindows
submitted
25-03-2023 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lower.exe
Size

439KB
MD5

aaa7586b2e64363b85571195a01b14e9
SHA1

734ccb31e72b9cb123f78c2ada870a11759e5e12
SHA256

53828b4c45798c42a15c42d20cf65a705ec534e28ec86cc5d6312afb2d0a7e9d
SHA512

bc94a9aea0002e58360278efbffc41d9ec3b99514692a5cdfc6264335efc5a1ab1c9e8fdc24a7dfa050a889427e577abfa7add10fbc319cad04d77604ebeeee8
SSDEEP

3072:QlsbVPQBHdThnjOwNUystMRdFAq6Ujq1fFTbpqdvH3DF/q1RiJCkGKU8x8vOmbwc:qywe3UjQTb4l3xg2CxKU8x8nMeF4SwO

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2172	1784	WerFault.exe	lower.exe
2120	1784	WerFault.exe	lower.exe
3500	1784	WerFault.exe	lower.exe
4480	1784	WerFault.exe	lower.exe
4700	1784	WerFault.exe	lower.exe
4844	1784	WerFault.exe	lower.exe
4904	1784	WerFault.exe	lower.exe
4928	1784	WerFault.exe	lower.exe
4188	1784	WerFault.exe	lower.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2656 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2656 taskkill.exe

pid	process
2656	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2656	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

lower.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 4448	1784	lower.exe	cmd.exe
PID 1784 wrote to memory of 4448	1784	lower.exe	cmd.exe
PID 1784 wrote to memory of 4448	1784	lower.exe	cmd.exe
PID 4448 wrote to memory of 2656	4448	cmd.exe	taskkill.exe
PID 4448 wrote to memory of 2656	4448	cmd.exe	taskkill.exe
PID 4448 wrote to memory of 2656	4448	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\lower.exe
"C:\Users\Admin\AppData\Local\Temp\lower.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 548
  2⤵
  - Program crash
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 792
  2⤵
  - Program crash
  PID:2120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 812
  2⤵
  - Program crash
  PID:3500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 876
  2⤵
  - Program crash
  PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 916
  2⤵
  - Program crash
  PID:4700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1000
  2⤵
  - Program crash
  PID:4844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1144
  2⤵
  - Program crash
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1184
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1312
  2⤵
  - Program crash
  PID:4188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lower.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "lower.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-117-0x0000000000650000-0x0000000000690000-memory.dmp

Filesize
256KB

Download
memory/1784-119-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download