Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/03/2024, 09:07 UTC

General

  • Target

    2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe

  • Size

    301KB

  • MD5

    e426711f2baaaa5ac3c22e490361c391

  • SHA1

    b1dbc44255a68a889bf3a28f3b7925127886871f

  • SHA256

    2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002

  • SHA512

    bb4506f8f67935315324333174b6fb945178376935947883ccd4668242fa7cd0e5058567c8df2ab460465ee88c54f0a0f3a833723cc5982f6db3a2f27878c7b8

  • SSDEEP

    3072:EzKIOGJfB4wfLLvY+hdqPXWZsMieG82Pa4oMT76ckpiqewdX7C/d8Seo6pHAMyq/:AKqxnvYzusMrG7PehpH19Seo6pHAMyW

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.115

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe
    "C:\Users\Admin\AppData\Local\Temp\2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 764
      2⤵
      • Program crash
      PID:2380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 780
      2⤵
      • Program crash
      PID:2592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 828
      2⤵
      • Program crash
      PID:5064
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 880
      2⤵
      • Program crash
      PID:932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 960
      2⤵
      • Program crash
      PID:2396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1060
      2⤵
      • Program crash
      PID:1256
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1428
      2⤵
      • Program crash
      PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1496
      2⤵
      • Program crash
      PID:236
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3044 -ip 3044
    1⤵
      PID:3468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3044 -ip 3044
      1⤵
        PID:4964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3044 -ip 3044
        1⤵
          PID:3052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3044 -ip 3044
          1⤵
            PID:1512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3044 -ip 3044
            1⤵
              PID:956
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3044 -ip 3044
              1⤵
                PID:4316
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3044 -ip 3044
                1⤵
                  PID:2828
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3044 -ip 3044
                  1⤵
                    PID:3780

                  Network

                  • flag-de
                    GET
                    http://185.172.128.90/cpa/ping.php?substr=one&s=two
                    2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe
                    Remote address:
                    185.172.128.90:80
                    Request
                    GET /cpa/ping.php?substr=one&s=two HTTP/1.1
                    Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                    Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                    Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                    Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                    User-Agent: 1
                    Host: 185.172.128.90
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Response
                    HTTP/1.1 200 OK
                    Date: Tue, 26 Mar 2024 09:08:03 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 1
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                  • flag-us
                    DNS
                    90.128.172.185.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    90.128.172.185.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    8.8.8.8.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    8.8.8.8.in-addr.arpa
                    IN PTR
                    Response
                    8.8.8.8.in-addr.arpa
                    IN PTR
                    dnsgoogle
                  • flag-us
                    DNS
                    nexusrules.officeapps.live.com
                    Remote address:
                    8.8.8.8:53
                    Request
                    nexusrules.officeapps.live.com
                    IN A
                    Response
                    nexusrules.officeapps.live.com
                    IN CNAME
                    prod.nexusrules.live.com.akadns.net
                    prod.nexusrules.live.com.akadns.net
                    IN A
                    52.111.229.43
                  • flag-us
                    DNS
                    43.229.111.52.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    43.229.111.52.in-addr.arpa
                    IN PTR
                    Response
                  • 185.172.128.90:80
                    http://185.172.128.90/cpa/ping.php?substr=one&s=two
                    http
                    2933a006093f683005d6a063b150494eb9d81cd4511739bd21bf20e7f2d80002.exe
                    687 B
                    376 B
                    6
                    4

                    HTTP Request

                    GET http://185.172.128.90/cpa/ping.php?substr=one&s=two

                    HTTP Response

                    200
                  • 8.8.8.8:53
                    90.128.172.185.in-addr.arpa
                    dns
                    287 B
                    462 B
                    4
                    4

                    DNS Request

                    90.128.172.185.in-addr.arpa

                    DNS Request

                    8.8.8.8.in-addr.arpa

                    DNS Request

                    nexusrules.officeapps.live.com

                    DNS Response

                    52.111.229.43

                    DNS Request

                    43.229.111.52.in-addr.arpa

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/3044-1-0x0000000000D40000-0x0000000000E40000-memory.dmp

                    Filesize

                    1024KB

                  • memory/3044-2-0x0000000002960000-0x000000000298D000-memory.dmp

                    Filesize

                    180KB

                  • memory/3044-3-0x0000000000400000-0x0000000000AF4000-memory.dmp

                    Filesize

                    7.0MB

                  • memory/3044-5-0x0000000000400000-0x0000000000AF4000-memory.dmp

                    Filesize

                    7.0MB

                  • memory/3044-6-0x0000000002960000-0x000000000298D000-memory.dmp

                    Filesize

                    180KB

                  We care about your privacy.

                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.