gcleaner | 28298b9302a467ad92b509e1a961e5d98a5179f9cec7cebd1cfe50e844506a77

Analysis

max time kernel
64s
max time network
70s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.9MB
MD5

21321336c670d1b96295499d7697c105
SHA1

9ceaf33034147557c938e4f658ee2a054260c507
SHA256

28298b9302a467ad92b509e1a961e5d98a5179f9cec7cebd1cfe50e844506a77
SHA512

06a06558673b0cc435f50ca7c4d9e82d6a096f5b40b38967b9d785eab7d63f2c320b80c71456c41bc19b327d65cfd61cadce5b75a4b2684ccd5c9979aa08cf98
SSDEEP

49152:KiJ6hloLsJLD7cAKYQ0E7OtjjgfKs8wuV:KiQhyLsJn79vAOtjGFI

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Executes dropped EXE 3 IoCs

pid	Process
1528	is-PLK77.tmp
1324	Rec519.exe
1360	Y36FvN.exe

Loads dropped DLL 10 IoCs

pid	Process
1612	file.exe
1528	is-PLK77.tmp
1528	is-PLK77.tmp
1528	is-PLK77.tmp
1528	is-PLK77.tmp
1324	Rec519.exe
1324	Rec519.exe
1324	Rec519.exe
1360	Y36FvN.exe
1360	Y36FvN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FLJCover\Rec519\unins000.dat	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\is-B1I12.tmp	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\is-R2R9O.tmp	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\data\is-PE0L0.tmp	is-PLK77.tmp
File opened for modification	C:\Program Files (x86)\FLJCover\Rec519\unins000.dat	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\is-1NNEJ.tmp	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\is-SS4Q4.tmp	is-PLK77.tmp
File created	C:\Program Files (x86)\FLJCover\Rec519\is-TUG5V.tmp	is-PLK77.tmp
File opened for modification	C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe	is-PLK77.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1272	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1324	Rec519.exe
1324	Rec519.exe
1324	Rec519.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	taskkill.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1612 wrote to memory of 1528	1612	file.exe	28
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1528 wrote to memory of 1324	1528	is-PLK77.tmp	29
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1360	1324	Rec519.exe	30
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1324 wrote to memory of 1720	1324	Rec519.exe	33
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35
PID 1720 wrote to memory of 1272	1720	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\is-9AAK5.tmp\is-PLK77.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9AAK5.tmp\is-PLK77.tmp" /SL4 $70128 "C:\Users\Admin\AppData\Local\Temp\file.exe" 1791781 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe
    "C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "Rec519.exe" /f & erase "C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Rec519.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe

Filesize
2.3MB

MD5
c0eae78c99309d24d1c1714eae8d49a2

SHA1
91f99afc80063423527634e15872c1917e4056ec

SHA256
089a52e8a82b267e32784686390d5a26878608283d8e6da067fc91abb4f85180

SHA512
4a97870169c0ce9a2b0aa0ce51fe6c9025f2432236e69437b579a9c7263c76f69f88af16b426e3a4225c4ee5871be45d6244327dadb777e56896472a3e1b8aa4

Download Submit
C:\Program Files (x86)\FLJCover\Rec519\Rec519.exe

Filesize
2.3MB

MD5
c0eae78c99309d24d1c1714eae8d49a2

SHA1
91f99afc80063423527634e15872c1917e4056ec

SHA256
089a52e8a82b267e32784686390d5a26878608283d8e6da067fc91abb4f85180

SHA512
4a97870169c0ce9a2b0aa0ce51fe6c9025f2432236e69437b579a9c7263c76f69f88af16b426e3a4225c4ee5871be45d6244327dadb777e56896472a3e1b8aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\dll[2].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AAK5.tmp\is-PLK77.tmp

Filesize
644KB

MD5
1f2bc482c99f55a713cf6ca3c1ff04f8

SHA1
852bacef61b885aa31afc7f615de6c6af0f715f4

SHA256
0a0d0b1916549cf997e2110a768d5bd088f5d1390960c22cb9609fe722779dcf

SHA512
a0ece5740fadbdb08f8a9efdb5e72b56198cfb35981835e03dafd2ad09d61bc592e602887d7cf65c58fc19b26caea653c1b5e5d4f35a85ebdc784300aa6948e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AAK5.tmp\is-PLK77.tmp

Filesize
644KB

MD5
1f2bc482c99f55a713cf6ca3c1ff04f8

SHA1
852bacef61b885aa31afc7f615de6c6af0f715f4

SHA256
0a0d0b1916549cf997e2110a768d5bd088f5d1390960c22cb9609fe722779dcf

SHA512
a0ece5740fadbdb08f8a9efdb5e72b56198cfb35981835e03dafd2ad09d61bc592e602887d7cf65c58fc19b26caea653c1b5e5d4f35a85ebdc784300aa6948e9

Download Submit
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Program Files (x86)\FLJCover\Rec519\Rec519.exe

Filesize
2.3MB

MD5
c0eae78c99309d24d1c1714eae8d49a2

SHA1
91f99afc80063423527634e15872c1917e4056ec

SHA256
089a52e8a82b267e32784686390d5a26878608283d8e6da067fc91abb4f85180

SHA512
4a97870169c0ce9a2b0aa0ce51fe6c9025f2432236e69437b579a9c7263c76f69f88af16b426e3a4225c4ee5871be45d6244327dadb777e56896472a3e1b8aa4

Download Submit
\Program Files (x86)\FLJCover\Rec519\Rec519.exe

Filesize
2.3MB

MD5
c0eae78c99309d24d1c1714eae8d49a2

SHA1
91f99afc80063423527634e15872c1917e4056ec

SHA256
089a52e8a82b267e32784686390d5a26878608283d8e6da067fc91abb4f85180

SHA512
4a97870169c0ce9a2b0aa0ce51fe6c9025f2432236e69437b579a9c7263c76f69f88af16b426e3a4225c4ee5871be45d6244327dadb777e56896472a3e1b8aa4

Download Submit
\Program Files (x86)\FLJCover\Rec519\Rec519.exe

Filesize
2.3MB

MD5
c0eae78c99309d24d1c1714eae8d49a2

SHA1
91f99afc80063423527634e15872c1917e4056ec

SHA256
089a52e8a82b267e32784686390d5a26878608283d8e6da067fc91abb4f85180

SHA512
4a97870169c0ce9a2b0aa0ce51fe6c9025f2432236e69437b579a9c7263c76f69f88af16b426e3a4225c4ee5871be45d6244327dadb777e56896472a3e1b8aa4

Download Submit
\Users\Admin\AppData\Local\Temp\is-9AAK5.tmp\is-PLK77.tmp

Filesize
644KB

MD5
1f2bc482c99f55a713cf6ca3c1ff04f8

SHA1
852bacef61b885aa31afc7f615de6c6af0f715f4

SHA256
0a0d0b1916549cf997e2110a768d5bd088f5d1390960c22cb9609fe722779dcf

SHA512
a0ece5740fadbdb08f8a9efdb5e72b56198cfb35981835e03dafd2ad09d61bc592e602887d7cf65c58fc19b26caea653c1b5e5d4f35a85ebdc784300aa6948e9

Download Submit
\Users\Admin\AppData\Local\Temp\is-CTM54.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-CTM54.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CTM54.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\Y36FvN.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1324-108-0x0000000000400000-0x000000000144A000-memory.dmp

Filesize
16.3MB

Download
memory/1324-121-0x0000000001BB0000-0x0000000002BFA000-memory.dmp

Filesize
16.3MB

Download
memory/1324-97-0x0000000000400000-0x000000000144A000-memory.dmp

Filesize
16.3MB

Download
memory/1324-113-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1324-95-0x0000000001BB0000-0x0000000002BFA000-memory.dmp

Filesize
16.3MB

Download
memory/1324-94-0x0000000000400000-0x000000000144A000-memory.dmp

Filesize
16.3MB

Download
memory/1324-142-0x0000000000400000-0x000000000144A000-memory.dmp

Filesize
16.3MB

Download
memory/1324-120-0x0000000000400000-0x000000000144A000-memory.dmp

Filesize
16.3MB

Download
memory/1324-96-0x0000000001BB0000-0x0000000002BFA000-memory.dmp

Filesize
16.3MB

Download
memory/1528-99-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1528-143-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1528-119-0x0000000004CB0000-0x0000000005CFA000-memory.dmp

Filesize
16.3MB

Download
memory/1528-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1528-93-0x0000000004CB0000-0x0000000005CFA000-memory.dmp

Filesize
16.3MB

Download
memory/1528-109-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1612-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1612-98-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1612-144-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download