gcleaner | c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

323KB
MD5

188332f8d229131789a0b760aec2dd91
SHA1

2ca374c876946334a9f71d3b68f669791e1dc2ba
SHA256

c6820216f0f3c79377dc2fbd0e82971910cccda00efa6de17fe0912076efacc3
SHA512

42dcb71bd0e12bca13aced7215e661765211b3f38f7f2c74458270a2fa3cefe805f5341ec6081c7ce6ebb4d6c28ce9ab0f8c2d8d7fbc32734759f11aadd52e8e
SSDEEP

6144:FLFccXjKG6w81kQOqQi+dzbObhnjuZpBKZ6oW/aT:FJLj16wrXhi2u5juZbMaM

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2764	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2876	2200	tmp.exe	29
PID 2200 wrote to memory of 2876	2200	tmp.exe	29
PID 2200 wrote to memory of 2876	2200	tmp.exe	29
PID 2200 wrote to memory of 2876	2200	tmp.exe	29
PID 2876 wrote to memory of 2764	2876	cmd.exe	31
PID 2876 wrote to memory of 2764	2876	cmd.exe	31
PID 2876 wrote to memory of 2764	2876	cmd.exe	31
PID 2876 wrote to memory of 2764	2876	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "tmp.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\tmp.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "tmp.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-54-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2200-55-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2200-56-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2200-57-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2200-59-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2200-60-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2200-61-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download