gcleaner | 6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea

General

Target

6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe
Size

296KB
MD5

3262af29c71f39ae3bd80b99d554fe76
SHA1

e942092a8e1df5c8d96ee760aa084edadadec694
SHA256

6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea
SHA512

50736a07669ecf4491936089a03b3c7f474ee32df55cb4a8c0c1b3b2b6a1fc9323fe6af4c7a622f93de8bd219a0f888349e33b5db4471e0ad9b3baf520908f16
SSDEEP

3072:Uyno3vsybbG87MIGQimVZqEdBkiCC7EKFc/a8Lk8EV7l6IxhWATRFtcDU27TVfq:No/JbGYXimWliB/FuOV7UI5btg7B

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4188	784	WerFault.exe	78
1864	784	WerFault.exe	78
3268	784	WerFault.exe	78
4324	784	WerFault.exe	78
4180	784	WerFault.exe	78
1512	784	WerFault.exe	78
3260	784	WerFault.exe	78
484	784	WerFault.exe	78
4076	784	WerFault.exe	78
924	784	WerFault.exe	78

Kills process with taskkill 1 IoCs

evasion

pid	Process
4632	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 5040	784	6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe	98
PID 784 wrote to memory of 5040	784	6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe	98
PID 784 wrote to memory of 5040	784	6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe	98
PID 5040 wrote to memory of 4632	5040	cmd.exe	102
PID 5040 wrote to memory of 4632	5040	cmd.exe	102
PID 5040 wrote to memory of 4632	5040	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe
"C:\Users\Admin\AppData\Local\Temp\6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 772
  2⤵
  - Program crash
  PID:4188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 780
  2⤵
  - Program crash
  PID:1864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 780
  2⤵
  - Program crash
  PID:3268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 816
  2⤵
  - Program crash
  PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 952
  2⤵
  - Program crash
  PID:4180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 956
  2⤵
  - Program crash
  PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1204
  2⤵
  - Program crash
  PID:3260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1452
  2⤵
  - Program crash
  PID:484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "6560d3bd09c082f86fa0dfb976088718e83f4621e6c618a80feabf7541e988ea.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1396
  2⤵
  - Program crash
  PID:4076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1540
  2⤵
  - Program crash
  PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 784 -ip 784
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 784 -ip 784
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 784 -ip 784
1⤵
PID:488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 784 -ip 784
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 784 -ip 784
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 784 -ip 784
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 784 -ip 784
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 784 -ip 784
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-1-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/784-2-0x0000000003090000-0x00000000030BD000-memory.dmp

Filesize
180KB

Download
memory/784-3-0x0000000000400000-0x0000000002C2D000-memory.dmp

Filesize
40.2MB

Download
memory/784-5-0x0000000000400000-0x0000000002C2D000-memory.dmp

Filesize
40.2MB

Download
memory/784-7-0x0000000003090000-0x00000000030BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing