gcleaner | 7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7

General

Target

7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
Size

249KB
MD5

aded808384437aacda351ae705b93dfd
SHA1

4268a4765658ddb7d7a379740397c1bd3cb17556
SHA256

7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7
SHA512

1b6d3c6af432400dc36004244f58e65762ec9e0ac298f12a8fc5b708c279b5aca2fb04cf755b83cad1f823f09e0c8f9a625098466d4252062effbcf92fd48844
SSDEEP

6144:k1rsTf6DcN0H1F2MsU1N0GxcZnuWIvuznkXT3Y:k1rsTf6DO0iMsU1N0Wunu

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4184	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
2504	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
2264	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
2616	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
1484	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
4976	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
4124	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
3792	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
3160	4348	WerFault.exe	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5108 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 5108 taskkill.exe

pid	process
5108	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	5108	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.execmd.exe

description	pid	process	target process
PID 4348 wrote to memory of 4004	4348	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe	cmd.exe
PID 4348 wrote to memory of 4004	4348	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe	cmd.exe
PID 4348 wrote to memory of 4004	4348	7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe	cmd.exe
PID 4004 wrote to memory of 5108	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 5108	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 5108	4004	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe
"C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 772
2⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 780
2⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 800
2⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 812
2⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 976
2⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 980
2⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1108
2⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1440
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "7ccb06e9081fa6ce5bb004be6da138facdd9cd5d814c89daaf067d60bcd60fd7.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1456
2⤵
- Program crash
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4348 -ip 4348
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 4348
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4348 -ip 4348
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4348 -ip 4348
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4348 -ip 4348
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4348 -ip 4348
1⤵
PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4348-2-0x00000000021A0000-0x00000000021CD000-memory.dmp

Filesize
180KB

Download
memory/4348-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/4348-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-5-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4348-6-0x00000000021A0000-0x00000000021CD000-memory.dmp

Filesize
180KB

Download
memory/4348-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing