gcleaner | b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903

General

Target

b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
Size

255KB
MD5

7a09006c1fff614757e6ecc56ca83002
SHA1

5eb3103dea1bc25a3f223891bad7d737391b8739
SHA256

b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903
SHA512

1da4abe4a8c1be3f9d95aaeeb503bc079d2c1c0b3c4cf895e1169cc8e4c9a3cd35858131bef15ffe7e9a54f26cda4c51232742c6baef5adc9bc79728834294f1
SSDEEP

6144:PY385ooT0DwnlgcXLJlHdqRq11tPhr1Z40:A385DoDwnmc7JXqRqLdq0

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3428	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
1808	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
2276	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
712	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
1872	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
4072	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
3068	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
2424	4524	WerFault.exe	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2900 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2900 taskkill.exe

pid	process
2900	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2900	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.execmd.exe

description	pid	process	target process
PID 4524 wrote to memory of 2488	4524	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe	cmd.exe
PID 4524 wrote to memory of 2488	4524	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe	cmd.exe
PID 4524 wrote to memory of 2488	4524	b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe	cmd.exe
PID 2488 wrote to memory of 2900	2488	cmd.exe	taskkill.exe
PID 2488 wrote to memory of 2900	2488	cmd.exe	taskkill.exe
PID 2488 wrote to memory of 2900	2488	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe
"C:\Users\Admin\AppData\Local\Temp\b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 772
2⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 772
2⤵
- Program crash
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 772
2⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 792
2⤵
- Program crash
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 984
2⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1084
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1432
2⤵
- Program crash
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "b5a43d68d468dab5cb5e51d2f67f924caf1b03d8cdc7217d791649a1fd24f903.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1536
2⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4524 -ip 4524
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4524 -ip 4524
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4524 -ip 4524
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4524 -ip 4524
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4524 -ip 4524
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4524 -ip 4524
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4524 -ip 4524
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4524 -ip 4524
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4524-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-2-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4524-1-0x0000000000860000-0x0000000000960000-memory.dmp

Filesize
1024KB

Download
memory/4524-5-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4524-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing