gcleaner | 5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d

General

Target

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
Size

293KB
MD5

ae42e88d1994524ba3bdcd883c130362
SHA1

d478a2f2971a4d42e3cea4a6f4bdc7cbb2a16511
SHA256

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d
SHA512

210f9bdb167028ad0f2dd34d1b5f9be482f19c1fb5cc3da68aefdb0227f933229d88b0dd379a9e0fe5c60bb6f152d82556d0795381271e46ed36686a3d5c0aeb
SSDEEP

6144:wtjZMAM3J0OehQdYIjHhuaCqIqMNbokdT:GjZMfZ0OoQCIThuari

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3572	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4752	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4728	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
1544	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
3872	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2016	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
4100	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
5052	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
3120	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2676	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
2432	3344	WerFault.exe	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1468 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1468 taskkill.exe

pid	process
1468	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1468	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.execmd.exe

description	pid	process	target process
PID 3344 wrote to memory of 2944	3344	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 3344 wrote to memory of 2944	3344	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 3344 wrote to memory of 2944	3344	5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe	cmd.exe
PID 2944 wrote to memory of 1468	2944	cmd.exe	taskkill.exe
PID 2944 wrote to memory of 1468	2944	cmd.exe	taskkill.exe
PID 2944 wrote to memory of 1468	2944	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe
"C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 484
2⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 532
2⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 780
2⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 824
2⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 780
2⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 824
2⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 984
2⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1084
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1108
2⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1480
2⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5ed8c8693a2dddb59cc3c6eacdc9ab604a9fd2c5d54a4d66f3231aadcd488d1d.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1392
2⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3344 -ip 3344
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3344 -ip 3344
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3344 -ip 3344
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3344 -ip 3344
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3344 -ip 3344
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3344 -ip 3344
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3344 -ip 3344
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3344 -ip 3344
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3344 -ip 3344
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3344 -ip 3344
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3344 -ip 3344
1⤵
PID:3392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3344-1-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/3344-2-0x00000000049B0000-0x00000000049EC000-memory.dmp

Filesize
240KB

Download
memory/3344-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-6-0x0000000000400000-0x0000000002CA8000-memory.dmp

Filesize
40.7MB

Download

Analysis

Sharing