Analysis

  • max time kernel
    90s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-05-2024 19:22

General

  • Target

    84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe

  • Size

    300KB

  • MD5

    0bfabdcbb51b7d24864a50c4a29329c7

  • SHA1

    07af2d06224237d2d1883fe3664eae0f8a20d93e

  • SHA256

    84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce

  • SHA512

    8eb1c6db75cbddffd4fa8ee42c18f80a7df20428db70e99f7229f01ad5d720e2d96c2db8fbd714afd1dc023cc786902d75d344ca2ac806f8fb7b4e9974dfbed9

  • SSDEEP

    3072:3feGI9UO4MZPn9VvUb+MGQhSWb/RKjP6pbj72kwnrqdgz8ybhG0JLq/qf82yrngK:2PTbvESGvKT6pDeN8KhpJLWrn450rk

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes
  • url_path

    /advdlc.php

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe
    "C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 772
      2⤵
      • Program crash
      PID:4556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 812
      2⤵
      • Program crash
      PID:1412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 832
      2⤵
      • Program crash
      PID:3456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 856
      2⤵
      • Program crash
      PID:2332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 976
      2⤵
      • Program crash
      PID:1152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1084
      2⤵
      • Program crash
      PID:2728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1076
      2⤵
      • Program crash
      PID:440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1444
      2⤵
      • Program crash
      PID:4784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "84636fc6f7ebd1022e377e130cc8bea3a72bb7f6888bd103acedfb4fbe26d6ce.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1436
      2⤵
      • Program crash
      PID:4088
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
    1⤵
      PID:4040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2036 -ip 2036
      1⤵
        PID:760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2036 -ip 2036
        1⤵
          PID:1464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2036 -ip 2036
          1⤵
            PID:3496
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2036 -ip 2036
            1⤵
              PID:3524
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2036 -ip 2036
              1⤵
                PID:4100
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2036 -ip 2036
                1⤵
                  PID:1992
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2036 -ip 2036
                  1⤵
                    PID:1924
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2036 -ip 2036
                    1⤵
                      PID:4500

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2036-3-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                    • memory/2036-2-0x0000000003740000-0x000000000376D000-memory.dmp

                      Filesize

                      180KB

                    • memory/2036-1-0x0000000001C60000-0x0000000001D60000-memory.dmp

                      Filesize

                      1024KB

                    • memory/2036-6-0x0000000000400000-0x000000000042F000-memory.dmp

                      Filesize

                      188KB

                    • memory/2036-5-0x0000000000400000-0x0000000001A15000-memory.dmp

                      Filesize

                      22.1MB