gcleaner | 08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098

General

Target

08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
Size

277KB
MD5

39c9ac76013c43e4d824f46780853fef
SHA1

254741f6975cb20e98e212bb9c7b4c8c70bb9241
SHA256

08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098
SHA512

ff3ab1f1c693aa1f11f6732292225bf00a5dacf89c73d58ba44c164d7443bf106a077ca74bc3816504a3896e343097194e9bdf65b367854e8d1a3b8d99fcb852
SSDEEP

3072:FuzgfDO5OQCAoDeJbB+OEll5+t5an/RJarFiBmqCx6lIylW0TTudOJ/vNU4O7ufO:jfD6CbqJlAz/Ragkhx6l44aIRNxvf

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4540	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
3276	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
2280	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
2488	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
4800	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
2168	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
2904	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
1008	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
3016	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
2088	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
3780	3116	WerFault.exe	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3456 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3456 taskkill.exe

pid	process
3456	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3456	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.execmd.exe

description	pid	process	target process
PID 3116 wrote to memory of 228	3116	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe	cmd.exe
PID 3116 wrote to memory of 228	3116	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe	cmd.exe
PID 3116 wrote to memory of 228	3116	08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe	cmd.exe
PID 228 wrote to memory of 3456	228	cmd.exe	taskkill.exe
PID 228 wrote to memory of 3456	228	cmd.exe	taskkill.exe
PID 228 wrote to memory of 3456	228	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe
"C:\Users\Admin\AppData\Local\Temp\08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 476
2⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 500
2⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 788
2⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 796
2⤵
- Program crash
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 840
2⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 884
2⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 984
2⤵
- Program crash
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 988
2⤵
- Program crash
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1064
2⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1452
2⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "08685f1c124422454dc52cad0d42b68109bd1c4d9c4f56ce67ed1959b4358098.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1432
2⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3116 -ip 3116
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3116 -ip 3116
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3116 -ip 3116
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3116 -ip 3116
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3116 -ip 3116
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3116 -ip 3116
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3116 -ip 3116
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3116 -ip 3116
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3116 -ip 3116
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3116 -ip 3116
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3116 -ip 3116
1⤵
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3116-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-1-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/3116-3-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/3116-7-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download
memory/3116-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing