Analysis

  • max time kernel
    140s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 17:24 UTC

General

  • Target

    b6e4dc4fd0cc50fbb1236fe1108b886d.exe

  • Size

    342KB

  • MD5

    b6e4dc4fd0cc50fbb1236fe1108b886d

  • SHA1

    ca17fc4111dbc08551aabe0e890c337448a19eda

  • SHA256

    114aa6cb595ed49423707788c3a06a79e250d23d0615108cbb3fb5bdd20af5c8

  • SHA512

    eaebb7b46714e2e15fd604383f5c7bb092c7f2669edf1c462544aeb3a11a38b8feacdfae7b78fe6cc0b96c6764909dad7e249c0d31320a26c5df1fa1c911dfbb

  • SSDEEP

    3072:FGSlqrvGown4AMsIqQk+ooNKeDe0T+ZvcXwR+YKZfwmuF5GZ4WDm/5O5XP0hd5A/:FanwpoNfe0Tb0aBwmuWaWa/5ORMAQOo

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes
  • url_path

    /advdlc.php

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 744
      2⤵
      • Program crash
      PID:2200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 764
      2⤵
      • Program crash
      PID:2556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 744
      2⤵
      • Program crash
      PID:1808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 816
      2⤵
      • Program crash
      PID:224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 904
      2⤵
      • Program crash
      PID:4632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 980
      2⤵
      • Program crash
      PID:1520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1032
      2⤵
      • Program crash
      PID:180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1364
      2⤵
      • Program crash
      PID:4156
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "b6e4dc4fd0cc50fbb1236fe1108b886d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b6e4dc4fd0cc50fbb1236fe1108b886d.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "b6e4dc4fd0cc50fbb1236fe1108b886d.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2548 -ip 2548
    1⤵
      PID:4456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2548 -ip 2548
      1⤵
        PID:1616
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2548 -ip 2548
        1⤵
          PID:1652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2548 -ip 2548
          1⤵
            PID:4948
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2548 -ip 2548
            1⤵
              PID:2716
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2548 -ip 2548
              1⤵
                PID:2456
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:5040
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2548 -ip 2548
                  1⤵
                    PID:4548
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2548 -ip 2548
                    1⤵
                      PID:2192

                    Network

                    • flag-us
                      DNS
                      196.249.167.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      196.249.167.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      240.197.17.2.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      240.197.17.2.in-addr.arpa
                      IN PTR
                      Response
                      240.197.17.2.in-addr.arpa
                      IN PTR
                      a2-17-197-240deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      103.169.127.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      103.169.127.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      56.126.166.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      56.126.166.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      24.139.73.23.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      24.139.73.23.in-addr.arpa
                      IN PTR
                      Response
                      24.139.73.23.in-addr.arpa
                      IN PTR
                      a23-73-139-24deploystaticakamaitechnologiescom
                    • flag-us
                      DNS
                      2.159.190.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      2.159.190.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      95.221.229.192.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      95.221.229.192.in-addr.arpa
                      IN PTR
                      Response
                    • flag-de
                      GET
                      http://185.172.128.90/cpa/ping.php?substr=one&s=two
                      b6e4dc4fd0cc50fbb1236fe1108b886d.exe
                      Remote address:
                      185.172.128.90:80
                      Request
                      GET /cpa/ping.php?substr=one&s=two HTTP/1.1
                      Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                      Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                      Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                      Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                      User-Agent: 1
                      Host: 185.172.128.90
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Response
                      HTTP/1.1 200 OK
                      Date: Fri, 19 Apr 2024 17:25:40 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 1
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                    • flag-us
                      DNS
                      90.128.172.185.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      90.128.172.185.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      chromewebstore.googleapis.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      chromewebstore.googleapis.com
                      IN A
                      Response
                      chromewebstore.googleapis.com
                      IN A
                      142.250.178.10
                      chromewebstore.googleapis.com
                      IN A
                      172.217.16.234
                      chromewebstore.googleapis.com
                      IN A
                      142.250.200.10
                      chromewebstore.googleapis.com
                      IN A
                      142.250.200.42
                      chromewebstore.googleapis.com
                      IN A
                      216.58.201.106
                      chromewebstore.googleapis.com
                      IN A
                      216.58.204.74
                      chromewebstore.googleapis.com
                      IN A
                      172.217.169.10
                      chromewebstore.googleapis.com
                      IN A
                      216.58.212.202
                      chromewebstore.googleapis.com
                      IN A
                      216.58.212.234
                      chromewebstore.googleapis.com
                      IN A
                      172.217.169.42
                      chromewebstore.googleapis.com
                      IN A
                      142.250.179.234
                      chromewebstore.googleapis.com
                      IN A
                      142.250.180.10
                      chromewebstore.googleapis.com
                      IN A
                      142.250.187.202
                      chromewebstore.googleapis.com
                      IN A
                      142.250.187.234
                    • flag-us
                      DNS
                      chromewebstore.googleapis.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      chromewebstore.googleapis.com
                      IN Unknown
                      Response
                    • flag-us
                      DNS
                      10.178.250.142.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      10.178.250.142.in-addr.arpa
                      IN PTR
                      Response
                      10.178.250.142.in-addr.arpa
                      IN PTR
                      lhr48s27-in-f101e100net
                    • flag-us
                      DNS
                      228.249.119.40.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      228.249.119.40.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      43.229.111.52.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      43.229.111.52.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      240.221.184.93.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      240.221.184.93.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      3.173.189.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      3.173.189.20.in-addr.arpa
                      IN PTR
                      Response
                    • 185.172.128.90:80
                      http://185.172.128.90/cpa/ping.php?substr=one&s=two
                      http
                      b6e4dc4fd0cc50fbb1236fe1108b886d.exe
                      687 B
                      376 B
                      6
                      4

                      HTTP Request

                      GET http://185.172.128.90/cpa/ping.php?substr=one&s=two

                      HTTP Response

                      200
                    • 142.250.178.10:443
                      chromewebstore.googleapis.com
                      tls
                      2.0kB
                      8.0kB
                      17
                      18
                    • 8.8.8.8:53
                      196.249.167.52.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      196.249.167.52.in-addr.arpa

                    • 8.8.8.8:53
                      240.197.17.2.in-addr.arpa
                      dns
                      71 B
                      135 B
                      1
                      1

                      DNS Request

                      240.197.17.2.in-addr.arpa

                    • 8.8.8.8:53
                      103.169.127.40.in-addr.arpa
                      dns
                      73 B
                      147 B
                      1
                      1

                      DNS Request

                      103.169.127.40.in-addr.arpa

                    • 8.8.8.8:53
                      56.126.166.20.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      56.126.166.20.in-addr.arpa

                    • 8.8.8.8:53
                      24.139.73.23.in-addr.arpa
                      dns
                      71 B
                      135 B
                      1
                      1

                      DNS Request

                      24.139.73.23.in-addr.arpa

                    • 8.8.8.8:53
                      2.159.190.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      2.159.190.20.in-addr.arpa

                    • 8.8.8.8:53
                      95.221.229.192.in-addr.arpa
                      dns
                      73 B
                      144 B
                      1
                      1

                      DNS Request

                      95.221.229.192.in-addr.arpa

                    • 8.8.8.8:53
                      90.128.172.185.in-addr.arpa
                      dns
                      73 B
                      73 B
                      1
                      1

                      DNS Request

                      90.128.172.185.in-addr.arpa

                    • 8.8.8.8:53
                      chromewebstore.googleapis.com
                      dns
                      75 B
                      299 B
                      1
                      1

                      DNS Request

                      chromewebstore.googleapis.com

                      DNS Response

                      142.250.178.10
                      172.217.16.234
                      142.250.200.10
                      142.250.200.42
                      216.58.201.106
                      216.58.204.74
                      172.217.169.10
                      216.58.212.202
                      216.58.212.234
                      172.217.169.42
                      142.250.179.234
                      142.250.180.10
                      142.250.187.202
                      142.250.187.234

                    • 8.8.8.8:53
                      chromewebstore.googleapis.com
                      dns
                      75 B
                      132 B
                      1
                      1

                      DNS Request

                      chromewebstore.googleapis.com

                    • 8.8.8.8:53
                      10.178.250.142.in-addr.arpa
                      dns
                      73 B
                      112 B
                      1
                      1

                      DNS Request

                      10.178.250.142.in-addr.arpa

                    • 8.8.8.8:53
                      228.249.119.40.in-addr.arpa
                      dns
                      73 B
                      159 B
                      1
                      1

                      DNS Request

                      228.249.119.40.in-addr.arpa

                    • 8.8.8.8:53
                      43.229.111.52.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      43.229.111.52.in-addr.arpa

                    • 8.8.8.8:53
                      240.221.184.93.in-addr.arpa
                      dns
                      73 B
                      144 B
                      1
                      1

                      DNS Request

                      240.221.184.93.in-addr.arpa

                    • 8.8.8.8:53
                      3.173.189.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      3.173.189.20.in-addr.arpa

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2548-1-0x0000000001C50000-0x0000000001D50000-memory.dmp

                      Filesize

                      1024KB

                    • memory/2548-2-0x0000000003760000-0x000000000378D000-memory.dmp

                      Filesize

                      180KB

                    • memory/2548-3-0x0000000000400000-0x0000000001A20000-memory.dmp

                      Filesize

                      22.1MB

                    • memory/2548-6-0x0000000001C50000-0x0000000001D50000-memory.dmp

                      Filesize

                      1024KB

                    • memory/2548-7-0x0000000003760000-0x000000000378D000-memory.dmp

                      Filesize

                      180KB

                    • memory/2548-11-0x0000000000400000-0x0000000001A20000-memory.dmp

                      Filesize

                      22.1MB

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.