gcleaner | d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3

Analysis

max time kernel
133s
max time network
126s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe
Size

371KB
MD5

b8f78e5944ae278d57653a7254a3a2ed
SHA1

4d87c6b9e19d61368c56dc8ae017a32d6a5ddcba
SHA256

d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3
SHA512

2eebd0c7d8f2994e781f18129d35dc44ac6ad9f24b8c8dc733ff9ca3ef713849c87a740a85d88096499db11fb3d3d9319ae7b8d93f89fdeafbaec00b49f6b23f
SSDEEP

6144:cNpP8EJzxFt/Ml5KCm2BhaF3fHOPgviLwnRB:cNF8EJ10lwChBIFvF

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

77.105.160.30

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1188	1652	WerFault.exe	79

Kills process with taskkill 1 IoCs

evasion

pid	Process
3192	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 3476	1652	d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe	83
PID 1652 wrote to memory of 3476	1652	d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe	83
PID 1652 wrote to memory of 3476	1652	d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe	83
PID 3476 wrote to memory of 3192	3476	cmd.exe	87
PID 3476 wrote to memory of 3192	3476	cmd.exe	87
PID 3476 wrote to memory of 3192	3476	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe
"C:\Users\Admin\AppData\Local\Temp\d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "d562d4a8d9671510cc3b18b4a801c48f826c9c6d809c73cdaf439a22806f5cf3.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 524
  2⤵
  - Program crash
  PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1652 -ip 1652
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-1-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

Filesize
1024KB

Download
memory/1652-2-0x0000000004690000-0x00000000046CC000-memory.dmp

Filesize
240KB

Download
memory/1652-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-6-0x0000000004690000-0x00000000046CC000-memory.dmp

Filesize
240KB

Download
memory/1652-5-0x0000000000400000-0x0000000002844000-memory.dmp

Filesize
36.3MB

Download