gcleaner | e458ae8f825198ef3a2f8e6290053826044dc6635e14dd25884acbf8d7196995

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.7MB
MD5

95da0a6ddca2bebaee156d59a42756e7
SHA1

5c3336a4e0e80f03276d103c16d26633872906d3
SHA256

e458ae8f825198ef3a2f8e6290053826044dc6635e14dd25884acbf8d7196995
SHA512

62ca716a3b4fb6873eeef258281d3561347dd641f0cb0708ec6d88c525b83b3feca9702e17b17ef8aac60c3ae7ec3a0190734fa918087e22a355cd248c3729b9
SSDEEP

49152:P2YLzyLb+umRm50FRQUYRbIG+kPKgy7d8B6:OVmRkAG+KKgEd8B6

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	FBSpacer719.exe

Executes dropped EXE 3 IoCs

pid	Process
3864	file.exe.tmp
1656	FBSpacer719.exe
2148	dwyk8.exe

Loads dropped DLL 1 IoCs

pid	Process
3864	file.exe.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FBSpacer719\is-AO6HK.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\is-357IL.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-3ISTU.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-584U7.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-KJRNS.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-QEUNQ.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-72RT4.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-S48GD.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\is-TLKQ5.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Config\is-R19UC.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-KF92V.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-OG9VK.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-T4GDU.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-91MK6.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-BHQI4.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-21DTQ.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-5G2VV.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-T6TQ7.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-1709M.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\is-IF2IO.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\unins000.dat	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\is-1T6JD.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Config\is-80BRE.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-IBOAJ.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\is-8N99E.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-EUEK2.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-37V74.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-LG2HH.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-D7E7P.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-UJ2HD.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-NCM5H.tmp	file.exe.tmp
File opened for modification	C:\Program Files (x86)\FBSpacer719\unins000.dat	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-TH2LO.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-TURLL.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-GL0TI.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-7JUGM.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-45UFB.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-GVE4O.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-NIK3F.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-AS4QQ.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-5A9I9.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-LPRA4.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-S7U4I.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-BJB08.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-L4G6O.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-0NC1A.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-1F1J5.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-RIDOH.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-KR4HR.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-55QIP.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-6TU7D.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Config\is-V17A8.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-9VR23.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-VS6U9.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-LV9JL.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-85E7P.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-GEERS.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-BQ71V.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Config\is-3E4NU.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Config\is-CBKNI.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-RMKV9.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-JVJ3J.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-1R6P2.tmp	file.exe.tmp
File created	C:\Program Files (x86)\FBSpacer719\Skins\Blue\is-2LI1O.tmp	file.exe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3532	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1656	FBSpacer719.exe
1656	FBSpacer719.exe
1656	FBSpacer719.exe
1656	FBSpacer719.exe
1656	FBSpacer719.exe
1656	FBSpacer719.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3864	4676	file.exe	86
PID 4676 wrote to memory of 3864	4676	file.exe	86
PID 4676 wrote to memory of 3864	4676	file.exe	86
PID 3864 wrote to memory of 4688	3864	file.exe.tmp	87
PID 3864 wrote to memory of 4688	3864	file.exe.tmp	87
PID 3864 wrote to memory of 4688	3864	file.exe.tmp	87
PID 3864 wrote to memory of 1656	3864	file.exe.tmp	88
PID 3864 wrote to memory of 1656	3864	file.exe.tmp	88
PID 3864 wrote to memory of 1656	3864	file.exe.tmp	88
PID 4688 wrote to memory of 3164	4688	net.exe	90
PID 4688 wrote to memory of 3164	4688	net.exe	90
PID 4688 wrote to memory of 3164	4688	net.exe	90
PID 1656 wrote to memory of 2148	1656	FBSpacer719.exe	91
PID 1656 wrote to memory of 2148	1656	FBSpacer719.exe	91
PID 1656 wrote to memory of 2148	1656	FBSpacer719.exe	91
PID 1656 wrote to memory of 2744	1656	FBSpacer719.exe	104
PID 1656 wrote to memory of 2744	1656	FBSpacer719.exe	104
PID 1656 wrote to memory of 2744	1656	FBSpacer719.exe	104
PID 2744 wrote to memory of 3532	2744	cmd.exe	106
PID 2744 wrote to memory of 3532	2744	cmd.exe	106
PID 2744 wrote to memory of 3532	2744	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\AppData\Local\Temp\is-IK7S9.tmp\file.exe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IK7S9.tmp\file.exe.tmp" /SL5="$A0064,1524245,54272,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 19
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 19
      4⤵
      PID:3164
- - C:\Program Files (x86)\FBSpacer719\FBSpacer719.exe
    "C:\Program Files (x86)\FBSpacer719\FBSpacer719.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Roaming\{d95ac920-19de-11ee-b689-806e6f6e6963}\dwyk8.exe
      4⤵
      Executes dropped EXE
      PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "FBSpacer719.exe" /f & erase "C:\Program Files (x86)\FBSpacer719\FBSpacer719.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "FBSpacer719.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FBSpacer719\FBSpacer719.exe

Filesize
3.1MB

MD5
aa833161af67d3b3f746fcc5367f33b7

SHA1
7f164c9a99a6af65d39306b4f864bbe7dac9246d

SHA256
8ff92274055f16c018a67abace9222c1cbf20a3ef20b91f84157f9701579b045

SHA512
4e8e1a63c3f73ece53b2ccc5974d796dba1b39eaec063585f856491f89dd4f176883ee7a534f20b98f09a480092dc168dcea490deb8b6d725a2b8fb0ab24f5f1

Download Submit
C:\Program Files (x86)\FBSpacer719\FBSpacer719.exe

Filesize
3.1MB

MD5
aa833161af67d3b3f746fcc5367f33b7

SHA1
7f164c9a99a6af65d39306b4f864bbe7dac9246d

SHA256
8ff92274055f16c018a67abace9222c1cbf20a3ef20b91f84157f9701579b045

SHA512
4e8e1a63c3f73ece53b2ccc5974d796dba1b39eaec063585f856491f89dd4f176883ee7a534f20b98f09a480092dc168dcea490deb8b6d725a2b8fb0ab24f5f1

Download Submit
C:\Program Files (x86)\FBSpacer719\readme.txt

Filesize
4KB

MD5
ce494d2d223aed950fea67f657d3fa3e

SHA1
97a19c02487c41e3a079cd6764afffeb5e838b26

SHA256
c8fa111c5b9537e3b6cab9ba763e164e27fa469f2232b82a54b206a7d892b9e9

SHA512
687bf3bd7de28dc45ea622672dc59d7e45d9ce83530a7db6462447ea247a9bde061738c454e09b48531aab9cce802c8491aa730e4da65e63daf31c65ffc39fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C7IPBQYV\dll[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B1SAE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IK7S9.tmp\file.exe.tmp

Filesize
666KB

MD5
0e7f27cc46df2ce950edb562b443d15f

SHA1
0c5253dbfbccb7517811529679d4485d959829a5

SHA256
610d949e936698934a293bcbca02aa66535cb92006a1629595d3b5439b44a87b

SHA512
f74951340446e76244ebfe3ddb90c650de5849eeed27a37bc8fd1bb111be9543177b2e46ccef2a98c2044114ab56101491dd6cd08ac8b856535ac7e1cf425255

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IK7S9.tmp\file.exe.tmp

Filesize
666KB

MD5
0e7f27cc46df2ce950edb562b443d15f

SHA1
0c5253dbfbccb7517811529679d4485d959829a5

SHA256
610d949e936698934a293bcbca02aa66535cb92006a1629595d3b5439b44a87b

SHA512
f74951340446e76244ebfe3ddb90c650de5849eeed27a37bc8fd1bb111be9543177b2e46ccef2a98c2044114ab56101491dd6cd08ac8b856535ac7e1cf425255

Download Submit
C:\Users\Admin\AppData\Roaming\{d95ac920-19de-11ee-b689-806e6f6e6963}\dwyk8.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
C:\Users\Admin\AppData\Roaming\{d95ac920-19de-11ee-b689-806e6f6e6963}\dwyk8.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/1656-326-0x0000000000400000-0x0000000001522000-memory.dmp

Filesize
17.1MB

Download
memory/1656-324-0x0000000000400000-0x0000000001522000-memory.dmp

Filesize
17.1MB

Download
memory/1656-325-0x0000000000400000-0x0000000001522000-memory.dmp

Filesize
17.1MB

Download
memory/1656-334-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1656-341-0x0000000000400000-0x0000000001522000-memory.dmp

Filesize
17.1MB

Download
memory/1656-358-0x0000000000400000-0x0000000001522000-memory.dmp

Filesize
17.1MB

Download
memory/3864-339-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3864-342-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3864-140-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/3864-359-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4676-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-338-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-360-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download