Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-05-2024 09:22

General

  • Target

    d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe

  • Size

    300KB

  • MD5

    41a9ce43e68a28c8d3be9d7528ac89bd

  • SHA1

    720891b1e49f68d1205fac01c8b620dcc711b44f

  • SHA256

    d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0

  • SHA512

    1e3fa64ab904ac55f464cac636cbde6c8a9c636b54f83d80d609c38438f6678cc5c7ef595927f0f2430dd8d6ee24dd28244474ec7874ae00eae4067e1f51ad7a

  • SSDEEP

    6144:nrzLyr6ikE5Zg0DzRWA2xUo8pTmwT1oVo6a:nr3yr6iVnDzRWZxMfoW6

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes
  • url_path

    /advdlc.php

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 772
      2⤵
      • Program crash
      PID:1636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 780
      2⤵
      • Program crash
      PID:3892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 840
      2⤵
      • Program crash
      PID:1988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 848
      2⤵
      • Program crash
      PID:2848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 976
      2⤵
      • Program crash
      PID:3724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 980
      2⤵
      • Program crash
      PID:1992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1424
      2⤵
      • Program crash
      PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "d8d63618bdbf7026bc080aee5273c85ada6aa81fbc75da63d7393ee334f91fa0.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1520
      2⤵
      • Program crash
      PID:4160
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
    1⤵
      PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4896 -ip 4896
      1⤵
        PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
        1⤵
          PID:4636
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4896 -ip 4896
          1⤵
            PID:4968
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4896 -ip 4896
            1⤵
              PID:3560
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4896 -ip 4896
              1⤵
                PID:1048
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4896 -ip 4896
                1⤵
                  PID:1580
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4896 -ip 4896
                  1⤵
                    PID:1528

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/4896-1-0x0000000001D00000-0x0000000001E00000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4896-3-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                  • memory/4896-2-0x0000000001CA0000-0x0000000001CCD000-memory.dmp

                    Filesize

                    180KB

                  • memory/4896-6-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                  • memory/4896-5-0x0000000000400000-0x0000000001A16000-memory.dmp

                    Filesize

                    22.1MB