Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe

  • Size

    378KB

  • MD5

    3b8e5ba71550f06a25c6b91b3cdcc486

  • SHA1

    5d1a70926fc23d8b8422059999b2bc5ed019aea7

  • SHA256

    83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa

  • SHA512

    cf2792d32ebe77fcc843f57a0a839631091f588238e724c110bd400e1d8d7e306bd4e40313d9d70dc9874a4fcc369cb299e6a4cf3816c8d3ec30e022765794ee

  • SSDEEP

    6144:Gh1MYsTPdUKVaqqypDVDhBzk9LuJXaHFWmrZIOubTi:NYsT1UTqqS1KLBFXrZ/8

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe
    "C:\Users\Admin\AppData\Local\Temp\83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 456
      2⤵
      • Program crash
      PID:3036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 488
      2⤵
      • Program crash
      PID:2532
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 748
      2⤵
      • Program crash
      PID:2640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 748
      2⤵
      • Program crash
      PID:4700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 748
      2⤵
      • Program crash
      PID:4512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 760
      2⤵
      • Program crash
      PID:3480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 912
      2⤵
      • Program crash
      PID:3252
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 988
      2⤵
      • Program crash
      PID:1440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1056
      2⤵
      • Program crash
      PID:3484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1608
      2⤵
      • Program crash
      PID:3960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe" & exit
      2⤵
        PID:1804
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im "83f9187bcfa11b0ce2b0522341b6537d94d66e259f95d91f8d209968b8f75daa.exe" /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1572
        2⤵
        • Program crash
        PID:4624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228
      1⤵
        PID:4236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3228 -ip 3228
        1⤵
          PID:5072
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:8
          1⤵
            PID:856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3228 -ip 3228
            1⤵
              PID:3708
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3228 -ip 3228
              1⤵
                PID:4748
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3228 -ip 3228
                1⤵
                  PID:552
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3228 -ip 3228
                  1⤵
                    PID:2600
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3228 -ip 3228
                    1⤵
                      PID:1040
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3228 -ip 3228
                      1⤵
                        PID:752
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3228 -ip 3228
                        1⤵
                          PID:1976
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3228 -ip 3228
                          1⤵
                            PID:4180
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3228 -ip 3228
                            1⤵
                              PID:4340

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SYNNS6ZU\advdlc[1].htm
                              Filesize

                              1B

                              MD5

                              cfcd208495d565ef66e7dff9f98764da

                              SHA1

                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                              SHA256

                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                              SHA512

                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                              Download Submit
                            • memory/3228-1-0x0000000000610000-0x0000000000710000-memory.dmp
                              Filesize

                              1024KB

                              Download
                            • memory/3228-3-0x0000000000400000-0x0000000000440000-memory.dmp
                              Filesize

                              256KB

                              Download
                            • memory/3228-2-0x00000000005D0000-0x000000000060C000-memory.dmp
                              Filesize

                              240KB

                              Download
                            • memory/3228-8-0x0000000010000000-0x000000001001C000-memory.dmp
                              Filesize

                              112KB

                              Download
                            • memory/3228-12-0x0000000000400000-0x000000000046F000-memory.dmp
                              Filesize

                              444KB

                              Download
                            • memory/3228-20-0x0000000000610000-0x0000000000710000-memory.dmp
                              Filesize

                              1024KB

                              Download
                            • memory/3228-23-0x0000000000400000-0x0000000000440000-memory.dmp
                              Filesize

                              256KB

                              Download
                            • memory/3228-35-0x0000000000400000-0x0000000000440000-memory.dmp
                              Filesize

                              256KB

                              Download
                            • memory/3228-34-0x0000000000400000-0x000000000046F000-memory.dmp
                              Filesize

                              444KB

                              Download