gcleaner | 04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a

General

Target

04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
Size

250KB
MD5

7b920e60e0a91157f785214e15a72c11
SHA1

1a7b0b78df6a533e546bf8b54ee418fdc9a03b2d
SHA256

04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a
SHA512

ab7a8394203ae40e9542b596c3c6d500dcb2f0daa93a3d033ab09291f0e3c90f560dd9d48a61832c49485f92de85cb92060899542be038a9a4c2efedb978c3ed
SSDEEP

3072:Ini7ju0gKaTMkgl7SN+DZ/Tx8O2yx5BrExuDHhZYvEbdF8/ykC7tRO1wLiIoqtlx:I4CFv6eNhODx/+urLdF1RjiwUo68T3Y

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3732	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
4072	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
4036	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
3404	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
4796	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
3552	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
4480	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
3820	1640	WerFault.exe	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

900 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 900 taskkill.exe

pid	process
900	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	900	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 1832	1640	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe	cmd.exe
PID 1640 wrote to memory of 1832	1640	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe	cmd.exe
PID 1640 wrote to memory of 1832	1640	04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe	cmd.exe
PID 1832 wrote to memory of 900	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 900	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 900	1832	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe
"C:\Users\Admin\AppData\Local\Temp\04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 772
2⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 812
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 812
2⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 804
2⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 976
2⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1084
2⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1428
2⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "04037b5f379cdd8cf9f4bf3983a714e81f0e118402587d6144a2d0ff5a34b50a.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1528
2⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1640 -ip 1640
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1640 -ip 1640
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1640 -ip 1640
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1640 -ip 1640
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1640 -ip 1640
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1640 -ip 1640
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1640 -ip 1640
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1640 -ip 1640
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-2-0x00000000021B0000-0x00000000021DD000-memory.dmp

Filesize
180KB

Download
memory/1640-1-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1640-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-5-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing