gcleaner | 691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51

General

Target

691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
Size

278KB
MD5

673ea1efbea95943a20a9fcc6b3dea5d
SHA1

32ce625b17508fd013445fdab081f3461f73ba65
SHA256

691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51
SHA512

17318e6c946a99ca2eb68bc2a1cc4d978b66cb3bbb9c540953fe59f31363fd466a4ba06488d5dd68e1ee02a10fbf4dcc55443311c4b969477ad5cc10e813024a
SSDEEP

6144:D39AQwEjyzfDtaAtWH7ROEe3ppGFZydUBg:D39AjEj8hlWHte3ppEW

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4528	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
2060	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
3968	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
4596	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
3244	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
5032	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
4108	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
4152	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
4700	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
2712	900	WerFault.exe	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3196 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3196 taskkill.exe

pid	process
3196	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3196	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 2256	900	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe	cmd.exe
PID 900 wrote to memory of 2256	900	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe	cmd.exe
PID 900 wrote to memory of 2256	900	691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe	cmd.exe
PID 2256 wrote to memory of 3196	2256	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 3196	2256	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 3196	2256	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe
"C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 456
2⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 480
2⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 748
2⤵
- Program crash
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 788
2⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 764
2⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 800
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 912
2⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 916
2⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1364
2⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "691364d144dd29cb5632e00609a7168dd49f0be90d24dff4ad40ad00cd678c51.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1308
2⤵
- Program crash
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 900 -ip 900
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 900
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 900 -ip 900
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 900 -ip 900
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 900 -ip 900
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 900
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 900 -ip 900
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 900 -ip 900
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 900 -ip 900
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 900 -ip 900
1⤵
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/900-2-0x00000000048D0000-0x000000000490C000-memory.dmp

Filesize
240KB

Download
memory/900-1-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

Filesize
1024KB

Download
memory/900-8-0x00000000048D0000-0x000000000490C000-memory.dmp

Filesize
240KB

Download
memory/900-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/900-6-0x0000000000400000-0x0000000002CA4000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads