gcleaner | 2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491

Analysis

max time kernel
7s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49a70d3437724bd70e25e097f8ea80fd.exe
Size

450KB
MD5

49a70d3437724bd70e25e097f8ea80fd
SHA1

0f467a5bed2642302bb81f43d5fa825b0c72e402
SHA256

2a77ae43cff20befca76b49de3665a059eadb01dd0a15cadd69eab65c2a7f491
SHA512

0f8a0652a19aba5d4df32b2f7532d0a5952ef21d9f885a619df6de8e05dec3cbeec78df2e8e270d4d460bb3bb6798e522f64dbfd9ba439d034670ae4a8188b45
SSDEEP

6144:x8aTDnsEzuiercYKh5GpMGDgnbGSA165LRHqliBAaXlYwyntuq89b+aQ:TzRzuiercYKq+GDgrACL9qsLqwFq06a

Score

10^/10

gcleaner onlylogger loader

Malware Config

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral2/memory/1640-2-0x0000000003510000-0x000000000355F000-memory.dmp	family_onlylogger
behavioral2/memory/1640-3-0x0000000000400000-0x000000000326C000-memory.dmp	family_onlylogger
behavioral2/memory/1640-5-0x0000000003510000-0x000000000355F000-memory.dmp	family_onlylogger
behavioral2/memory/1640-4-0x0000000000400000-0x000000000326C000-memory.dmp	family_onlylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	49a70d3437724bd70e25e097f8ea80fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3784	1640	WerFault.exe	14
2220	1640	WerFault.exe	14
3460	1640	WerFault.exe	14
4808	1640	WerFault.exe	14
2832	1640	WerFault.exe	14
4660	1640	WerFault.exe	14
3472	1640	WerFault.exe	14

Kills process with taskkill 1 IoCs

evasion

pid	Process
1676	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1332	1640	49a70d3437724bd70e25e097f8ea80fd.exe	109
PID 1640 wrote to memory of 1332	1640	49a70d3437724bd70e25e097f8ea80fd.exe	109
PID 1640 wrote to memory of 1332	1640	49a70d3437724bd70e25e097f8ea80fd.exe	109
PID 1332 wrote to memory of 1676	1332	cmd.exe	105
PID 1332 wrote to memory of 1676	1332	cmd.exe	105
PID 1332 wrote to memory of 1676	1332	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\49a70d3437724bd70e25e097f8ea80fd.exe
"C:\Users\Admin\AppData\Local\Temp\49a70d3437724bd70e25e097f8ea80fd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 736
  2⤵
  - Program crash
  PID:3784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 784
  2⤵
  - Program crash
  PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 944
  2⤵
  - Program crash
  PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 952
  2⤵
  - Program crash
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 988
  2⤵
  - Program crash
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 996
  2⤵
  - Program crash
  PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 728
  2⤵
  - Program crash
  PID:3472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "49a70d3437724bd70e25e097f8ea80fd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\49a70d3437724bd70e25e097f8ea80fd.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1640 -ip 1640
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1640 -ip 1640
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1640 -ip 1640
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1640 -ip 1640
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1640 -ip 1640
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1640 -ip 1640
1⤵
PID:5104

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "49a70d3437724bd70e25e097f8ea80fd.exe" /f
1⤵
- Kills process with taskkill
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1640 -ip 1640
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-2-0x0000000003510000-0x000000000355F000-memory.dmp

Filesize
316KB

Download
memory/1640-1-0x0000000003590000-0x0000000003690000-memory.dmp

Filesize
1024KB

Download
memory/1640-3-0x0000000000400000-0x000000000326C000-memory.dmp

Filesize
46.4MB

Download
memory/1640-5-0x0000000003510000-0x000000000355F000-memory.dmp

Filesize
316KB

Download
memory/1640-4-0x0000000000400000-0x000000000326C000-memory.dmp

Filesize
46.4MB

Download