gcleaner | 0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901

General

Target

0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
Size

275KB
MD5

d38c3a0099b96cc45f6161a69bb4b211
SHA1

ca60da53a7c07577b8ef958dd33703bf7269be2f
SHA256

0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901
SHA512

efd0ee9d4d20e471965d45b8e4b2b9559762821af9d43cfcd5d84ad804a489974c53aafe2923e5f2395bdb5672148ac8e5db91cc443d33334fe9aedafa7cb84d
SSDEEP

6144:WfgQ8tj7sdkVcJhWnJjmNxK46muZV3qQGXa:h11Skq7ABmzKpFG

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4456	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
3776	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
2296	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
4408	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
5112	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
840	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
1584	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
1512	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
5108	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
2768	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
4892	4904	WerFault.exe	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4300 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4300 taskkill.exe

pid	process
4300	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4300	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.execmd.exe

description	pid	process	target process
PID 4904 wrote to memory of 4136	4904	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe	cmd.exe
PID 4904 wrote to memory of 4136	4904	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe	cmd.exe
PID 4904 wrote to memory of 4136	4904	0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe	cmd.exe
PID 4136 wrote to memory of 4300	4136	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 4300	4136	cmd.exe	taskkill.exe
PID 4136 wrote to memory of 4300	4136	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe
"C:\Users\Admin\AppData\Local\Temp\0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 460
2⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 504
2⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 792
2⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 800
2⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 800
2⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 856
2⤵
- Program crash
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 444
2⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 984
2⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1028
2⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1348
2⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "0dd249243c7c84d7cca7280a2b48a9e0b3a0869a0516aaffbe70556287a48901.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1328
2⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
1⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4904 -ip 4904
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4904 -ip 4904
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4904 -ip 4904
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4904 -ip 4904
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4904 -ip 4904
1⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4904 -ip 4904
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4904 -ip 4904
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4904 -ip 4904
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4904 -ip 4904
1⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4904-1-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/4904-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-2-0x0000000002E10000-0x0000000002E4C000-memory.dmp

Filesize
240KB

Download
memory/4904-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-6-0x0000000000400000-0x0000000002CA3000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads