Analysis

  • max time kernel
    90s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-05-2024 12:46

General

  • Target

    4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe

  • Size

    268KB

  • MD5

    d4b5defd49386b58a8eafe6560dc94d5

  • SHA1

    c9492d819ce38cc74489b40cfd2fd4cd97a0b747

  • SHA256

    4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774

  • SHA512

    7d8c8564524c278bf32c960080d40fa491ca0dddaecb06e1831c4723a4a84564b9f1165d2f5d03cc22e7a246c0b1559403c1f3b673998a7b3beebebdd38bc0a0

  • SSDEEP

    3072:sn0oqvhLPtBUM952fX+D4BXVK48IA1xWJy95KbWUEc5RFcu2v:s0oEFBUw5Gc4BXYTQG0SU3F

Score
10/10

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe
    "C:\Users\Admin\AppData\Local\Temp\4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 476
      2⤵
      • Program crash
      PID:4520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 796
      2⤵
      • Program crash
      PID:1928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 816
      2⤵
      • Program crash
      PID:2880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 856
      2⤵
      • Program crash
      PID:5052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 900
      2⤵
      • Program crash
      PID:4820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1000
      2⤵
      • Program crash
      PID:1520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1104
      2⤵
      • Program crash
      PID:4908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1448
      2⤵
      • Program crash
      PID:2416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "4b6c4c17e2a9200eb820f2bd7aa0b30d420299b0aa1599ae935e7409a0124774.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 544
      2⤵
      • Program crash
      PID:1264
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468
    1⤵
      PID:3132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1468 -ip 1468
      1⤵
        PID:3512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1468 -ip 1468
        1⤵
          PID:4044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1468 -ip 1468
          1⤵
            PID:4756
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1468 -ip 1468
            1⤵
              PID:4600
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1468 -ip 1468
              1⤵
                PID:1456
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1468 -ip 1468
                1⤵
                  PID:2096
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1468 -ip 1468
                  1⤵
                    PID:4620
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1468 -ip 1468
                    1⤵
                      PID:4316

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1468-3-0x0000000000400000-0x0000000000440000-memory.dmp
                      Filesize

                      256KB

                    • memory/1468-2-0x00000000025D0000-0x000000000260C000-memory.dmp
                      Filesize

                      240KB

                    • memory/1468-1-0x0000000002630000-0x0000000002730000-memory.dmp
                      Filesize

                      1024KB

                    • memory/1468-7-0x0000000000400000-0x0000000000440000-memory.dmp
                      Filesize

                      256KB

                    • memory/1468-6-0x0000000000400000-0x0000000002360000-memory.dmp
                      Filesize

                      31.4MB