gcleaner | 35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe
Size

336KB
MD5

214eee18dacc5d7613dc59ae50b3101a
SHA1

78764c40cdf853f1835782ffe77aabd57c4f986e
SHA256

35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025
SHA512

f16b48bcc4406f53b585c131bd1649c26d31e3211339261450e6dd198f43e81becea826013ad54495c46303e5a2c63dac1a6350e2dc7d98b5123e7dafe1a2d60
SSDEEP

3072:jKNXiamz6KGBRaT8BlNBpoqQDGEofbMGZo10M7ALrKkx7GnO1HUm9J5pqIDp:jK1iamD+3N40TMyoqM7ALHy80Ip

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Deletes itself 1 IoCs

pid	Process
2076	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2636	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2076	948	35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe	28
PID 948 wrote to memory of 2076	948	35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe	28
PID 948 wrote to memory of 2076	948	35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe	28
PID 948 wrote to memory of 2076	948	35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe	28
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30
PID 2076 wrote to memory of 2636	2076	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe
"C:\Users\Admin\AppData\Local\Temp\35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "35f41ac4e8b5937fb9795929352fd61ff42177edb35a9e7eda7420250ec1c025.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/948-2-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/948-3-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/948-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/948-6-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/948-7-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download