gcleaner | 0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2

General

Target

0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe
Size

251KB
MD5

336fe7d78d3bca75a24753ace2de600e
SHA1

f8c35f8674793ce1e7edfaf4c86868ea5456888a
SHA256

0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2
SHA512

3d044be48c14d6407c2080768061e6d94118790f9aa0f94d9cbd8e9f5dd5d4d77ef83116a26bb518fec413e899a735362f4b28f8118ebe5a96d065dc8014a302
SSDEEP

3072:J33wECzwI7ORulV72yzLYi4fXz90WXakiSJKFagme/k1Ef534sMS8:N3hj70lRzzLD4fXq4zp0agDk1EA3

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4512	4568	WerFault.exe	83
3132	4568	WerFault.exe	83
2328	4568	WerFault.exe	83
4552	4568	WerFault.exe	83
2152	4568	WerFault.exe	83
2808	4568	WerFault.exe	83
2768	4568	WerFault.exe	83
1972	4568	WerFault.exe	83
4500	4568	WerFault.exe	83

Kills process with taskkill 1 IoCs

evasion

pid	Process
2676	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 1832	4568	0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe	117
PID 4568 wrote to memory of 1832	4568	0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe	117
PID 4568 wrote to memory of 1832	4568	0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe	117
PID 1832 wrote to memory of 2676	1832	cmd.exe	121
PID 1832 wrote to memory of 2676	1832	cmd.exe	121
PID 1832 wrote to memory of 2676	1832	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe
"C:\Users\Admin\AppData\Local\Temp\0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 740
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 780
  2⤵
  - Program crash
  PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 800
  2⤵
  - Program crash
  PID:2328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 808
  2⤵
  - Program crash
  PID:4552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 964
  2⤵
  - Program crash
  PID:2152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 984
  2⤵
  - Program crash
  PID:2808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1012
  2⤵
  - Program crash
  PID:2768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1328
  2⤵
  - Program crash
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "0a1fecbe23123af0af6057c65ec15b0b25f58d4aead1044abb603b875c58abf2.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1332
  2⤵
  - Program crash
  PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4568 -ip 4568
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4568 -ip 4568
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4568 -ip 4568
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4568 -ip 4568
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4568 -ip 4568
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4568 -ip 4568
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4568 -ip 4568
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4568-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-2-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4568-1-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/4568-4-0x0000000000400000-0x0000000002AFC000-memory.dmp

Filesize
39.0MB

Download
memory/4568-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-6-0x0000000000400000-0x0000000002AFC000-memory.dmp

Filesize
39.0MB

Download

Analysis

Sharing