gcleaner | f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d

General

Target

f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe
Size

282KB
MD5

d369af1128722a21e63b54767b27df9b
SHA1

a134ed2b5d493e6c35e275d663b21ab8420e3cab
SHA256

f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d
SHA512

3e9665342b8f0b9817f023fdd0dc63b2ed51b4a3c2b529b8d92afc75426dd3f169b6592ac78899f25346259cd236cbf6626e445547acf431c0da2b940e1be36c
SSDEEP

6144:0tnPIXREcJMcUsuKpoqoLhcIboriKVkk:0lPIXREyFUUp56horvVk

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.115

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3568	1708	WerFault.exe	79
4860	1708	WerFault.exe	79
4712	1708	WerFault.exe	79
2408	1708	WerFault.exe	79
240	1708	WerFault.exe	79
1976	1708	WerFault.exe	79
3308	1708	WerFault.exe	79
1684	1708	WerFault.exe	79
4272	1708	WerFault.exe	79

Kills process with taskkill 1 IoCs

evasion

pid	Process
1656	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4428	1708	f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe	99
PID 1708 wrote to memory of 4428	1708	f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe	99
PID 1708 wrote to memory of 4428	1708	f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe	99
PID 4428 wrote to memory of 1656	4428	cmd.exe	102
PID 4428 wrote to memory of 1656	4428	cmd.exe	102
PID 4428 wrote to memory of 1656	4428	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe
"C:\Users\Admin\AppData\Local\Temp\f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 780
  2⤵
  - Program crash
  PID:3568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 796
  2⤵
  - Program crash
  PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 832
  2⤵
  - Program crash
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 808
  2⤵
  - Program crash
  PID:2408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 952
  2⤵
  - Program crash
  PID:240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1076
  2⤵
  - Program crash
  PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1072
  2⤵
  - Program crash
  PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1444
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "f6657feeb739e084356de73ea5076668476bde7a06cdc3f867526ca27c68fb2d.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1356
  2⤵
  - Program crash
  PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1708 -ip 1708
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1708 -ip 1708
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1708 -ip 1708
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1708 -ip 1708
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1708 -ip 1708
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1708 -ip 1708
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1708 -ip 1708
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1708 -ip 1708
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1708-2-0x0000000002390000-0x00000000023BD000-memory.dmp

Filesize
180KB

Download
memory/1708-3-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1708-5-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1708-6-0x0000000002390000-0x00000000023BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing