Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-05-2024 09:15

General

  • Target

    ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe

  • Size

    301KB

  • MD5

    6c48223d8fa432c1b8e8fe1889fb9c14

  • SHA1

    7efbdb0fb12a0a657d7de775636ee3fc23dd6b31

  • SHA256

    ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0

  • SHA512

    189e5aa4d36b495580024c416da1bad3ac3399195bda2dbcd2350da23f7b82e932025010f958d10e8196eeb2973781fe95ddf221f68ded57374f5af8ff48efa7

  • SSDEEP

    6144:+4V9+1MlmH3IGEOoxH1X+82al3EvS3buM:+4V01MEXCOo1YfalQS3b

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes
  • url_path

    /advdlc.php

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe
    "C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 772
      2⤵
      • Program crash
      PID:2900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 812
      2⤵
      • Program crash
      PID:3476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 852
      2⤵
      • Program crash
      PID:3912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 772
      2⤵
      • Program crash
      PID:3340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 976
      2⤵
      • Program crash
      PID:3696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1076
      2⤵
      • Program crash
      PID:1224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1444
      2⤵
      • Program crash
      PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "ff1e3a8e37987c9969d99b704c952cd2b95bc490a5a17ec06c15e2eda103f3f0.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1388
      2⤵
      • Program crash
      PID:2164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4028 -ip 4028
    1⤵
      PID:2308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4028 -ip 4028
      1⤵
        PID:4884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4028 -ip 4028
        1⤵
          PID:2908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4028 -ip 4028
          1⤵
            PID:3656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4028 -ip 4028
            1⤵
              PID:3892
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4028 -ip 4028
              1⤵
                PID:2116
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4028 -ip 4028
                1⤵
                  PID:4812
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4028 -ip 4028
                  1⤵
                    PID:2000

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/4028-3-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                  • memory/4028-2-0x0000000002E50000-0x0000000002E7D000-memory.dmp

                    Filesize

                    180KB

                  • memory/4028-1-0x0000000002C40000-0x0000000002D40000-memory.dmp

                    Filesize

                    1024KB

                  • memory/4028-6-0x0000000000400000-0x000000000042F000-memory.dmp

                    Filesize

                    188KB

                  • memory/4028-5-0x0000000000400000-0x0000000002B09000-memory.dmp

                    Filesize

                    39.0MB