gcleaner | 6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe
Size

370KB
MD5

a580b91155c0870f7ff1e9dc0ee85328
SHA1

474b5b52d7ec66a6de7164d903275b4759851431
SHA256

6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843
SHA512

04f20fab6d4ba08542a047988241e4b9d2b6c12a8f39b717973a5eb40c0b49c41ea06aeadc3bbd0abedb5090528ec7172cdb75e60ea863a44478f13f4bc7a68d
SSDEEP

6144:Sy5ngvXvVhXkqnmWuWxEIc9FXp/Q5owrHaLZUJp8TM:95ng/NhXbnmiEV9FZIYU7

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

77.105.160.30

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	1860	WerFault.exe	79

Kills process with taskkill 1 IoCs

evasion

pid	Process
5000	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 4004	1860	6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe	81
PID 1860 wrote to memory of 4004	1860	6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe	81
PID 1860 wrote to memory of 4004	1860	6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe	81
PID 4004 wrote to memory of 5000	4004	cmd.exe	85
PID 4004 wrote to memory of 5000	4004	cmd.exe	85
PID 4004 wrote to memory of 5000	4004	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe
"C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "6630dc597492000e40fb1bbff37712ff3146080dff4d4c937bdd3d145b8b7843.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1400
  2⤵
  - Program crash
  PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-1-0x0000000002AA0000-0x0000000002BA0000-memory.dmp

Filesize
1024KB

Download
memory/1860-2-0x0000000004690000-0x00000000046CC000-memory.dmp

Filesize
240KB

Download
memory/1860-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-6-0x0000000004690000-0x00000000046CC000-memory.dmp

Filesize
240KB

Download
memory/1860-5-0x0000000000400000-0x0000000002844000-memory.dmp

Filesize
36.3MB

Download