gcleaner | a0d51145bd3f6620032b432be3cdb9a4bd3a2b889c01d101c9a53d8c46c6b4e4

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 04:21

Target

31a194cac2e9de7a6007ed9ec667f810N.exe
Size

269KB
MD5

31a194cac2e9de7a6007ed9ec667f810
SHA1

4c32b1079830ec850a9fc5772b62f7ec7e3f3eef
SHA256

a0d51145bd3f6620032b432be3cdb9a4bd3a2b889c01d101c9a53d8c46c6b4e4
SHA512

26f488523aecfb4d26ea71f57a7b8fa155baf4e6d37c81a8f0ad9c810ed83be542effd26fda17e75c191afead0c19c4571614281ddd53e5224d05c447efc2974
SSDEEP

6144:C/l5MBlczZhOHP0DQIpUtJndnUvBJGxhw5UJp8wB:C/EwthXN0ZdUvBJFUN

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

77.105.160.30

185.172.128.69

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2820	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2496	1992	31a194cac2e9de7a6007ed9ec667f810N.exe	31
PID 1992 wrote to memory of 2496	1992	31a194cac2e9de7a6007ed9ec667f810N.exe	31
PID 1992 wrote to memory of 2496	1992	31a194cac2e9de7a6007ed9ec667f810N.exe	31
PID 1992 wrote to memory of 2496	1992	31a194cac2e9de7a6007ed9ec667f810N.exe	31
PID 2496 wrote to memory of 2820	2496	cmd.exe	33
PID 2496 wrote to memory of 2820	2496	cmd.exe	33
PID 2496 wrote to memory of 2820	2496	cmd.exe	33
PID 2496 wrote to memory of 2820	2496	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe
"C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\31a194cac2e9de7a6007ed9ec667f810N.exe" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "31a194cac2e9de7a6007ed9ec667f810N.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2820

memory/1992-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1992-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-2-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/1992-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-7-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1992-5-0x0000000000400000-0x000000000282B000-memory.dmp

Filesize
36.2MB

Download