gcleaner | 7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001

General

Target

7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe
Size

273KB
MD5

f89a5436701b9dc5e4da6bdf2269e421
SHA1

ffa25e07c087e1c92e749fcb35a0add474daaa26
SHA256

7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001
SHA512

8af203f2535dc4691e5da664ae94db13035cc7a69172f9b5514c0e5ca3e0c770c55c6986857a0c4963da06ef81479ecc8354e969fe3465c1d86ef80b5bdeaa92
SSDEEP

3072:n6q+A5xbCdZhDiGleQKiFNqfjKAqVL7RT+nMu5RYBie5Wlz6BQbn:n6q+A5xCheGleQProsh7wMMCBiNZqQD

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1752	3164	WerFault.exe	79
4524	3164	WerFault.exe	79
3000	3164	WerFault.exe	79
4128	3164	WerFault.exe	79
412	3164	WerFault.exe	79
3552	3164	WerFault.exe	79
5016	3164	WerFault.exe	79
4348	3164	WerFault.exe	79
3932	3164	WerFault.exe	79

Kills process with taskkill 1 IoCs

evasion

pid	Process
2884	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3672	3164	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	99
PID 3164 wrote to memory of 3672	3164	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	99
PID 3164 wrote to memory of 3672	3164	7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe	99
PID 3672 wrote to memory of 2884	3672	cmd.exe	102
PID 3672 wrote to memory of 2884	3672	cmd.exe	102
PID 3672 wrote to memory of 2884	3672	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe
"C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 772
  2⤵
  - Program crash
  PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 812
  2⤵
  - Program crash
  PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 832
  2⤵
  - Program crash
  PID:3000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 892
  2⤵
  - Program crash
  PID:4128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 976
  2⤵
  - Program crash
  PID:412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1064
  2⤵
  - Program crash
  PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1088
  2⤵
  - Program crash
  PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1436
  2⤵
  - Program crash
  PID:4348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "7f2adb49175b395189f62369371725fcc4505ed5ea4bc869b18e8266a5048001.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1544
  2⤵
  - Program crash
  PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3164 -ip 3164
1⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3164 -ip 3164
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3164 -ip 3164
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3164 -ip 3164
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3164 -ip 3164
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3164 -ip 3164
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3164 -ip 3164
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3164 -ip 3164
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3164 -ip 3164
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3164-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-2-0x0000000002E40000-0x0000000002E6D000-memory.dmp

Filesize
180KB

Download
memory/3164-1-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/3164-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-5-0x0000000000400000-0x0000000002B02000-memory.dmp

Filesize
39.0MB

Download

Analysis

Sharing