gcleaner | 5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d

General

Target

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
Size

293KB
MD5

ae42e88d1994524ba3bdcd883c130362
SHA1

d478a2f2971a4d42e3cea4a6f4bdc7cbb2a16511
SHA256

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d
SHA512

210f9bdb167028ad0f2dd34d1b5f9be482f19c1fb5cc3da68aefdb0227f933229d88b0dd379a9e0fe5c60bb6f152d82556d0795381271e46ed36686a3d5c0aeb
SSDEEP

6144:wtjZMAM3J0OehQdYIjHhuaCqIqMNbokdT:GjZMfZ0OoQCIThuari

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1784	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2392	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4792	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2284	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
440	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
1636	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4760	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
1816	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4628	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
3588	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2032	1388	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2964 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2964 taskkill.exe

pid	process
2964	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2964	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 4432	1388	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 1388 wrote to memory of 4432	1388	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 1388 wrote to memory of 4432	1388	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 4432 wrote to memory of 2964	4432	cmd.exe	taskkill.exe
PID 4432 wrote to memory of 2964	4432	cmd.exe	taskkill.exe
PID 4432 wrote to memory of 2964	4432	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
"C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 452
2⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 480
2⤵
- Program crash
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 748
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 784
2⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 784
2⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 820
2⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 912
2⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 916
2⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1040
2⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1348
2⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1432
2⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1388 -ip 1388
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1388 -ip 1388
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1388 -ip 1388
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1388 -ip 1388
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1388 -ip 1388
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1388 -ip 1388
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1388 -ip 1388
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1388 -ip 1388
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1388 -ip 1388
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1388 -ip 1388
1⤵
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-2-0x00000000048C0000-0x00000000048FC000-memory.dmp

Filesize
240KB

Download
memory/1388-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/1388-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-7-0x00000000048C0000-0x00000000048FC000-memory.dmp

Filesize
240KB

Download
memory/1388-6-0x0000000000400000-0x0000000002CA8000-memory.dmp

Filesize
40.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads