gcleaner | 6f487c7bc1d98eef7c2fda7f1b38f1c199df9308634ecfc9543497cf0f5d3ea6

General

Target

ed47fa9158e4cccda07bb4659da88d06.exe
Size

280KB
MD5

ed47fa9158e4cccda07bb4659da88d06
SHA1

979ba7b632c71d38630ba39a8caeb4a679fc697f
SHA256

6f487c7bc1d98eef7c2fda7f1b38f1c199df9308634ecfc9543497cf0f5d3ea6
SHA512

a076055a9630f8d0c4ccdb03d1bf6b1f31d2f32e820cf6d427cdbfcf0cbeebb80c141d1b111d17db0b9f7b7275f5c246c00668b0fb3fc45058f4fcdfe3e1a37a
SSDEEP

6144:cP+a94On2taJfqn311On0d21IPzoNGFt94hjsAw:Ta94Lt3n311c1IPket9ws

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

5.42.65.64

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	ed47fa9158e4cccda07bb4659da88d06.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4288	3120	WerFault.exe	82
940	3120	WerFault.exe	82
4536	3120	WerFault.exe	82
468	3120	WerFault.exe	82
3224	3120	WerFault.exe	82
4372	3120	WerFault.exe	82
1364	3120	WerFault.exe	82
2492	3120	WerFault.exe	82
788	3120	WerFault.exe	82
3676	3120	WerFault.exe	82

Kills process with taskkill 1 IoCs

evasion

pid	Process
1328	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1584	3120	ed47fa9158e4cccda07bb4659da88d06.exe	109
PID 3120 wrote to memory of 1584	3120	ed47fa9158e4cccda07bb4659da88d06.exe	109
PID 3120 wrote to memory of 1584	3120	ed47fa9158e4cccda07bb4659da88d06.exe	109
PID 1584 wrote to memory of 1328	1584	cmd.exe	113
PID 1584 wrote to memory of 1328	1584	cmd.exe	113
PID 1584 wrote to memory of 1328	1584	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe
"C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 448
  2⤵
  - Program crash
  PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 480
  2⤵
  - Program crash
  PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 748
  2⤵
  - Program crash
  PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 768
  2⤵
  - Program crash
  PID:468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 748
  2⤵
  - Program crash
  PID:3224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 840
  2⤵
  - Program crash
  PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 868
  2⤵
  - Program crash
  PID:1364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 852
  2⤵
  - Program crash
  PID:2492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1352
  2⤵
  - Program crash
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "ed47fa9158e4cccda07bb4659da88d06.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ed47fa9158e4cccda07bb4659da88d06.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "ed47fa9158e4cccda07bb4659da88d06.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 1368
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3120 -ip 3120
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3120 -ip 3120
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3120 -ip 3120
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3120 -ip 3120
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3120 -ip 3120
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3120 -ip 3120
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3120 -ip 3120
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3120-2-0x0000000002090000-0x00000000020CC000-memory.dmp

Filesize
240KB

Download
memory/3120-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/3120-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-6-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3120-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing