gcleaner | b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd

General

Target

b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
Size

292KB
MD5

583d46cf0de48deb8edbebb0f8ca9f2c
SHA1

805772046eb1bdfb6de597d54ae7c1a87d727b8e
SHA256

b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd
SHA512

c2432c73196030af0332c09c688e23da9664dbcf788f17a2defd08bd731591ce2adfb1f1c652b87a003be77ee951851ecd9a8d660b8c1adc905eb4f999089e05
SSDEEP

6144:zKUFfHXsi/uG6/yAAkZVNsGhtLew2DD6JYiNYzcT:zKOPcip6/yAJVO0r2DDUH

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2436	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
5032	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
4356	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
4980	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
4832	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
2368	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
3392	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
516	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
2592	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
3812	2868	WerFault.exe	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2244 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2244 taskkill.exe

pid	process
2244	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2244	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 4708	2868	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe	cmd.exe
PID 2868 wrote to memory of 4708	2868	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe	cmd.exe
PID 2868 wrote to memory of 4708	2868	b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe	cmd.exe
PID 4708 wrote to memory of 2244	4708	cmd.exe	taskkill.exe
PID 4708 wrote to memory of 2244	4708	cmd.exe	taskkill.exe
PID 4708 wrote to memory of 2244	4708	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe
"C:\Users\Admin\AppData\Local\Temp\b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 448
2⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 472
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 748
2⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 792
2⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 812
2⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 780
2⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 912
2⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 988
2⤵
- Program crash
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1312
2⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "b136aa92ce09fd40d8df8e1482b60653f1aa181b82c613bbab68785d6d7de7dd.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1472
2⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2868 -ip 2868
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2868 -ip 2868
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2868 -ip 2868
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2868 -ip 2868
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2868 -ip 2868
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2868 -ip 2868
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2868 -ip 2868
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2868 -ip 2868
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2868 -ip 2868
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2868 -ip 2868
1⤵
PID:3604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/2868-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-2-0x00000000048B0000-0x00000000048EC000-memory.dmp

Filesize
240KB

Download
memory/2868-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-6-0x0000000000400000-0x0000000002CA8000-memory.dmp

Filesize
40.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads