gcleaner | 3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1

General

Target

3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
Size

276KB
MD5

2bc0a14889b50348187bb816a36725e8
SHA1

e7518022d51f9cca15a92a2f9bd4021773315a63
SHA256

3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1
SHA512

9551be263b6b3eb62e7392e78cb374b86ce56387dd1080e51335f5adcb2f1def26b7062ec61b33953df3e31672b59cc3fc8b257cb7aa8a5b5272d739670712a3
SSDEEP

3072:ZuGnnMlToA3ahjY3T+iMkS2lL7EMyTfqeVQph9+DwiCy+2+Pi/Y6HgltBhkONwwB:rnM9qJigg7E3LYb9Hi42qi/Alq8

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5012	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
5084	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
480	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
4076	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
1832	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
1908	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
952	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
2016	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
3444	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
836	3024	WerFault.exe	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2052 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2052 taskkill.exe

pid	process
2052	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2052	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.execmd.exe

description	pid	process	target process
PID 3024 wrote to memory of 4260	3024	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe	cmd.exe
PID 3024 wrote to memory of 4260	3024	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe	cmd.exe
PID 3024 wrote to memory of 4260	3024	3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe	cmd.exe
PID 4260 wrote to memory of 2052	4260	cmd.exe	taskkill.exe
PID 4260 wrote to memory of 2052	4260	cmd.exe	taskkill.exe
PID 4260 wrote to memory of 2052	4260	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe
"C:\Users\Admin\AppData\Local\Temp\3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 476
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 516
2⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 780
2⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 820
2⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 856
2⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 864
2⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 984
2⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 992
2⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1444
2⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3abd54be7c96b8f42d6bec2a62d174de538a404a1dcc07cdd02e5035518c2de1.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1456
2⤵
- Program crash
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3024 -ip 3024
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3024 -ip 3024
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3024 -ip 3024
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3024 -ip 3024
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3024 -ip 3024
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3024 -ip 3024
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3024 -ip 3024
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3024 -ip 3024
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3024 -ip 3024
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3024 -ip 3024
1⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3024-2-0x00000000049C0000-0x00000000049FC000-memory.dmp

Filesize
240KB

Download
memory/3024-1-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

Filesize
1024KB

Download
memory/3024-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-6-0x0000000000400000-0x0000000002CA3000-memory.dmp

Filesize
40.6MB

Download

Analysis

Sharing