gcleaner | 7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa

General

Target

7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
Size

332KB
MD5

5ba6c06b6430b1d0ce57ada8d2d72613
SHA1

eb9829f22290617f07f4470b31f919168b65b29c
SHA256

7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa
SHA512

dd63eca21ee1c1697756c1189e4ec8e59afbaa998c623de0e8a45d0c214dc011e5aa7d23b4fd27a82a7cc681668f6e7e38d94f0e4727d7956ae2f649a3aa747f
SSDEEP

6144:fato6hkvHnD2WM+RXPCtyyzDeTz2K6Fb4T:fatoNvitBzDeTz2KL

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

185.172.128.69

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4668	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
212	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
4148	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
2704	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
312	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
3468	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
2324	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
1716	1768	WerFault.exe	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

428 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 428 taskkill.exe

pid	process
428	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	428	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1724	1768	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe	cmd.exe
PID 1768 wrote to memory of 1724	1768	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe	cmd.exe
PID 1768 wrote to memory of 1724	1768	7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe	cmd.exe
PID 1724 wrote to memory of 428	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 428	1724	cmd.exe	taskkill.exe
PID 1724 wrote to memory of 428	1724	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe
"C:\Users\Admin\AppData\Local\Temp\7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 760
2⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 780
2⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 840
2⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 884
2⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 944
2⤵
- Program crash
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1092
2⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1140
2⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1432
2⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "7f73e5b49b63d597dd5b0acf769ae40f37d69d48562cdaf70b62fba6d7dc38fa.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/1768-1-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1768-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-2-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/1768-9-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/1768-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1768-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-21-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing