gcleaner | 434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a

Analysis

max time kernel
191s
max time network
293s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/05/2024, 22:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe
Size

252KB
MD5

38b81f3a7945cd32066a2752f44b5469
SHA1

4948b464c7c952b5e267bb994204d103604331fb
SHA256

434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a
SHA512

a9f832757a301f7bd0dc65b9867e8ec65be92afe430595dea4a2786d4b9e049bb9da16934a315f2ffdd19bebb47bf047fd84185b84315a3a7863c5271eff5f16
SSDEEP

3072:TW7A5zwPtBFE01dK/4c8/gbhQxe2fo5d+I5NxyMD97tewZVB2du/Z5ylAmT:iM+jz1SXQxVAS+Nt577B2dugAmT

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2996	5068	WerFault.exe	73
768	5068	WerFault.exe	73
2240	5068	WerFault.exe	73
1364	5068	WerFault.exe	73
644	5068	WerFault.exe	73
4368	5068	WerFault.exe	73
1560	5068	WerFault.exe	73
1476	5068	WerFault.exe	73

Kills process with taskkill 1 IoCs

evasion

pid	Process
4892	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4928	5068	434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe	83
PID 5068 wrote to memory of 4928	5068	434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe	83
PID 5068 wrote to memory of 4928	5068	434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe	83
PID 4928 wrote to memory of 4892	4928	cmd.exe	85
PID 4928 wrote to memory of 4892	4928	cmd.exe	85
PID 4928 wrote to memory of 4892	4928	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe
"C:\Users\Admin\AppData\Local\Temp\434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 760
  2⤵
  - Program crash
  PID:2996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 772
  2⤵
  - Program crash
  PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 840
  2⤵
  - Program crash
  PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 944
  2⤵
  - Program crash
  PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 968
  2⤵
  - Program crash
  PID:644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1112
  2⤵
  - Program crash
  PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1176
  2⤵
  - Program crash
  PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1264
  2⤵
  - Program crash
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "434aa87c51d2cf00c0f7628f7fb65956c999ced3f6f3baaf3a773bc59596d29a.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5068-2-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/5068-1-0x0000000002B60000-0x0000000002C60000-memory.dmp

Filesize
1024KB

Download
memory/5068-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-5-0x0000000000400000-0x0000000002AFC000-memory.dmp

Filesize
39.0MB

Download
memory/5068-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-7-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/5068-6-0x0000000000400000-0x0000000002AFC000-memory.dmp

Filesize
39.0MB

Download