gcleaner | 604a2cbfcc5bfc6c4d3250997bfd13e0ce2fffabde6e503452d73f3f09c5ff26

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df57b996c6a68b965a93dac0c0e42aa0.exe
Size

361KB
MD5

df57b996c6a68b965a93dac0c0e42aa0
SHA1

57789b9ea6496983f8095f9a54823798c5232d55
SHA256

604a2cbfcc5bfc6c4d3250997bfd13e0ce2fffabde6e503452d73f3f09c5ff26
SHA512

b1ff3fe2a452c4f9b452a13fe807f5a0d771bdecc42a5c83ed43a7fbd5460e05a3632580ad786cac0403d6491f8de58ff2f052e42c49eaf3bb40bf841c786490
SSDEEP

6144:btLXDFm+EbpNiH7EPOs8NeKOLdYhRolL3p+XfGfgmP4GcxATv6o:1Xpm+EbpEHQOs850dGuljpHIfa6

Score

10^/10

gcleaner loader

Malware Config

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	df57b996c6a68b965a93dac0c0e42aa0.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	iplogger.org
14	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1340	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4340	4552	df57b996c6a68b965a93dac0c0e42aa0.exe	93
PID 4552 wrote to memory of 4340	4552	df57b996c6a68b965a93dac0c0e42aa0.exe	93
PID 4552 wrote to memory of 4340	4552	df57b996c6a68b965a93dac0c0e42aa0.exe	93
PID 4340 wrote to memory of 1340	4340	cmd.exe	95
PID 4340 wrote to memory of 1340	4340	cmd.exe	95
PID 4340 wrote to memory of 1340	4340	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\df57b996c6a68b965a93dac0c0e42aa0.exe
"C:\Users\Admin\AppData\Local\Temp\df57b996c6a68b965a93dac0c0e42aa0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "df57b996c6a68b965a93dac0c0e42aa0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\df57b996c6a68b965a93dac0c0e42aa0.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "df57b996c6a68b965a93dac0c0e42aa0.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4552-1-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/4552-2-0x0000000000750000-0x000000000079A000-memory.dmp

Filesize
296KB

Download
memory/4552-3-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4552-4-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4552-5-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/4552-6-0x0000000000750000-0x000000000079A000-memory.dmp

Filesize
296KB

Download