gcleaner | ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e

General

Target

ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
Size

383KB
MD5

d94fa42cdcc2a9eae3b70a7350b169f9
SHA1

6d61e4bab0e98948ee98d0a6ef27ca6109d671f4
SHA256

ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e
SHA512

d45776fd7295b63af8deb3c5e53132ccb9a5bd054f88aaaeb919c626064c117a0bc92cec2ae19b4f3dc7d1f0323b2290d11a8b8a982319b947a020fc600112c7
SSDEEP

6144:GvaISkrkbFQuI4UI8Px2Cr7ob8Rk4QcQTXjIOubTh:EhZwbl6UCPMgk4QcQXj/8

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3188	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
4460	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
4840	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
1980	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
1884	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
396	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
1600	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
4164	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
4800	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
2972	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
732	5092	WerFault.exe	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4060 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4060 taskkill.exe

pid	process
4060	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4060	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.execmd.exe

description	pid	process	target process
PID 5092 wrote to memory of 2348	5092	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe	cmd.exe
PID 5092 wrote to memory of 2348	5092	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe	cmd.exe
PID 5092 wrote to memory of 2348	5092	ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe	cmd.exe
PID 2348 wrote to memory of 4060	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 4060	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 4060	2348	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe
"C:\Users\Admin\AppData\Local\Temp\ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 476
2⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 480
2⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 780
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 820
2⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 840
2⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 804
2⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 984
2⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1072
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1480
2⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1732
2⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ac2ca8f0f447c0321caced59c99dc4076d957ce86c35ccc516ad0212f9b3fb4e.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1420
2⤵
- Program crash
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 5092
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5092 -ip 5092
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5092 -ip 5092
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5092 -ip 5092
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5092 -ip 5092
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5092 -ip 5092
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5092 -ip 5092
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5092 -ip 5092
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5092 -ip 5092
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5092 -ip 5092
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QF81BTGY\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/5092-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/5092-2-0x00000000007F0000-0x000000000082C000-memory.dmp

Filesize
240KB

Download
memory/5092-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-8-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5092-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5092-18-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/5092-22-0x00000000007F0000-0x000000000082C000-memory.dmp

Filesize
240KB

Download
memory/5092-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5092-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5092-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing