gcleaner | 7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001

General

Target

7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe
Size

273KB
MD5

f89a5436701b9dc5e4da6bdf2269e421
SHA1

ffa25e07c087e1c92e749fcb35a0add474daaa26
SHA256

7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001
SHA512

8af203f2535dc4691e5da664ae94db13035cc7a69172f9b5514c0e5ca3e0c770c55c6986857a0c4963da06ef81479ecc8354e969fe3465c1d86ef80b5bdeaa92
SSDEEP

3072:n6q+A5xbCdZhDiGleQKiFNqfjKAqVL7RT+nMu5RYBie5Wlz6BQbn:n6q+A5xCheGleQProsh7wMMCBiNZqQD

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3168	2316	WerFault.exe	82
2928	2316	WerFault.exe	82
3188	2316	WerFault.exe	82
1904	2316	WerFault.exe	82
4828	2316	WerFault.exe	82
4080	2316	WerFault.exe	82
1040	2316	WerFault.exe	82
3028	2316	WerFault.exe	82

Kills process with taskkill 1 IoCs

evasion

pid	Process
4428	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 4412	2316	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	110
PID 2316 wrote to memory of 4412	2316	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	110
PID 2316 wrote to memory of 4412	2316	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	110
PID 4412 wrote to memory of 4428	4412	cmd.exe	114
PID 4412 wrote to memory of 4428	4412	cmd.exe	114
PID 4412 wrote to memory of 4428	4412	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe
"C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 740
  2⤵
  - Program crash
  PID:3168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 760
  2⤵
  - Program crash
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 796
  2⤵
  - Program crash
  PID:3188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 844
  2⤵
  - Program crash
  PID:1904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 904
  2⤵
  - Program crash
  PID:4828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 984
  2⤵
  - Program crash
  PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1328
  2⤵
  - Program crash
  PID:1040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1372
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2316 -ip 2316
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2316 -ip 2316
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2316 -ip 2316
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2316 -ip 2316
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2316 -ip 2316
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2316 -ip 2316
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2316 -ip 2316
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2316 -ip 2316
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2316-1-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/2316-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-2-0x0000000004750000-0x000000000477D000-memory.dmp

Filesize
180KB

Download
memory/2316-4-0x0000000000400000-0x0000000002B02000-memory.dmp

Filesize
39.0MB

Download
memory/2316-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-6-0x0000000000400000-0x0000000002B02000-memory.dmp

Filesize
39.0MB

Download

Analysis

Sharing