gcleaner | 085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5

General

Target

085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
Size

234KB
MD5

10ce4f27695a42574059e5fd8b342760
SHA1

fc96ec057a00ccfa5491e40c01bafa1249da59e9
SHA256

085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5
SHA512

0e32d8deb124ff86f37bffab0f9a052af6697764e5835938a98331661256a42ba16c702e360ca33980d799414fc5ac87ac62f547ff4d654e58f06e7b04d68b3a
SSDEEP

3072:De4EUm1rm8/JmSHWj3QFO0degWLz6a7w+MvC27uFlX5MvbX:1V4CSHYg4RMrClab

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2360	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
1692	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
1600	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
2032	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
1460	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
3964	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
1664	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
3860	4540	WerFault.exe	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3084 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3084 taskkill.exe

pid	process
3084	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3084	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.execmd.exe

description	pid	process	target process
PID 4540 wrote to memory of 3720	4540	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe	cmd.exe
PID 4540 wrote to memory of 3720	4540	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe	cmd.exe
PID 4540 wrote to memory of 3720	4540	085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe	cmd.exe
PID 3720 wrote to memory of 3084	3720	cmd.exe	taskkill.exe
PID 3720 wrote to memory of 3084	3720	cmd.exe	taskkill.exe
PID 3720 wrote to memory of 3084	3720	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe
"C:\Users\Admin\AppData\Local\Temp\085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 772
2⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 780
2⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 828
2⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 836
2⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1040
2⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1080
2⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1420
2⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "085ad204e85d66f16ed572a61b5319d90f6047f85da6a42f07eae5229f4c79f5.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1528
2⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 4540
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4540 -ip 4540
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4540 -ip 4540
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4540 -ip 4540
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4540 -ip 4540
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4540 -ip 4540
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4540 -ip 4540
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4540 -ip 4540
1⤵
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4540-1-0x0000000002430000-0x0000000002530000-memory.dmp

Filesize
1024KB

Download
memory/4540-2-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-3-0x0000000000400000-0x0000000002357000-memory.dmp

Filesize
31.3MB

Download
memory/4540-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-6-0x0000000000400000-0x0000000002357000-memory.dmp

Filesize
31.3MB

Download

Analysis

Sharing