gcleaner | 30f369545192f89f2be9e17a9c9335e6d9725104253a8f2e5dbe2a00c36ab589

General

Target

0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
Size

370KB
MD5

fa7383138b89d723bf99d6b40e9758ae
SHA1

32b4bb823a8decec83ff94f5bc944d3501c6a4fe
SHA256

0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d
SHA512

ba17701e8c0014adb1d34e202523561217aa3d4f0fa2d3c753a2f42fc076baa0d4759c207d3112304d678a5a79643c67442a6b48a55032a6f1a4c7afc2d6b688
SSDEEP

6144:j6N7kOswEGuk80dNtHJpqkRMzGQLDSvTH:KkYvpfBCaQL+H

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3924	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
4616	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
1116	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
3532	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
3964	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
3312	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
1120	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
1608	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
2688	4764	WerFault.exe	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2992 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2992 taskkill.exe

pid	process
2992	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2992	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 4116	4764	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe	cmd.exe
PID 4764 wrote to memory of 4116	4764	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe	cmd.exe
PID 4764 wrote to memory of 4116	4764	0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe	cmd.exe
PID 4116 wrote to memory of 2992	4116	cmd.exe	taskkill.exe
PID 4116 wrote to memory of 2992	4116	cmd.exe	taskkill.exe
PID 4116 wrote to memory of 2992	4116	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe
"C:\Users\Admin\AppData\Local\Temp\0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 524
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 768
2⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 776
2⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 792
2⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 860
2⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 932
2⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1020
2⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1604
2⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "0d4afd2cfed2d28a10ab663aa0c51f4b60d587b49020893490c5db7cbc9d0a4d.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1476
2⤵
- Program crash
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4764 -ip 4764
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4764 -ip 4764
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4764 -ip 4764
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4764 -ip 4764
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4764 -ip 4764
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4764 -ip 4764
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4764 -ip 4764
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4764 -ip 4764
1⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4764 -ip 4764
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4764 -ip 4764
1⤵
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/4764-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-4-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4764-6-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/4764-7-0x0000000000630000-0x000000000066C000-memory.dmp

Filesize
240KB

Download
memory/4764-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/4764-14-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4764-2-0x0000000000630000-0x000000000066C000-memory.dmp

Filesize
240KB

Download
memory/4764-21-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4764-37-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4764-38-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4764-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads