gcleaner | 645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4

General

Target

645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe
Size

295KB
MD5

d221456c3724a8ae84d820c0d0afcbd0
SHA1

59b1473db91fbf6890ba64b512b73565fc51ea9e
SHA256

645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4
SHA512

4e73d8ab04ac84ad3e8890298958dc894bd7ce3ea3d11bd278bc4469b5be087922052aa046ca20e29c614e1675e490220318b0dc3689c7dd716aa1192cc5896e
SSDEEP

3072:Ei0lmjZc7WnYxroz6/waAAoJIXFoJncSIlQBAWJ2Y3xUvxcW9GNI+B75icT1jtd:j9ju75fVSIaafWzCvSW8G+1L

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

5.42.65.64

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2964	3024	WerFault.exe	82
840	3024	WerFault.exe	82
780	3024	WerFault.exe	82
816	3024	WerFault.exe	82
2588	3024	WerFault.exe	82
3140	3024	WerFault.exe	82
1516	3024	WerFault.exe	82
4740	3024	WerFault.exe	82
232	3024	WerFault.exe	82

Kills process with taskkill 1 IoCs

evasion

pid	Process
2652	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3048	3024	645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe	112
PID 3024 wrote to memory of 3048	3024	645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe	112
PID 3024 wrote to memory of 3048	3024	645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe	112
PID 3048 wrote to memory of 2652	3048	cmd.exe	116
PID 3048 wrote to memory of 2652	3048	cmd.exe	116
PID 3048 wrote to memory of 2652	3048	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe
"C:\Users\Admin\AppData\Local\Temp\645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 452
  2⤵
  - Program crash
  PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 764
  2⤵
  - Program crash
  PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 804
  2⤵
  - Program crash
  PID:780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 820
  2⤵
  - Program crash
  PID:816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 828
  2⤵
  - Program crash
  PID:2588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 928
  2⤵
  - Program crash
  PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 936
  2⤵
  - Program crash
  PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1356
  2⤵
  - Program crash
  PID:4740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "645ccca17804f453d92dca6394beadcd8c774f413cacf918c75a1a6517acc7c4.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 504
  2⤵
  - Program crash
  PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3024 -ip 3024
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3024 -ip 3024
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3024 -ip 3024
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3024 -ip 3024
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3024 -ip 3024
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3024 -ip 3024
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3024 -ip 3024
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3024 -ip 3024
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3024 -ip 3024
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-1-0x0000000002740000-0x0000000002840000-memory.dmp

Filesize
1024KB

Download
memory/3024-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-2-0x0000000004360000-0x000000000439C000-memory.dmp

Filesize
240KB

Download
memory/3024-4-0x0000000000400000-0x0000000002736000-memory.dmp

Filesize
35.2MB

Download
memory/3024-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-7-0x0000000000400000-0x0000000002736000-memory.dmp

Filesize
35.2MB

Download

Analysis

Sharing