gcleaner | efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a

General

Target

file.exe
Size

4KB
MD5

ddc9229a87f36e9d555ddae1c8d4ac09
SHA1

e902d5ab723fa81913dd73999da9778781647c28
SHA256

efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a
SHA512

08b5ad94168bf90bae2f2917fde1b2a36650845fdcb23881d76ddddae73359fbd774c92083ba03a84083c48d4922afb339c637d49dfa67fbf9eb95b3bf86baa6
SSDEEP

48:66sn7l2zMdoHSe0rHNMMb9Y7VxCioXsTfxZsFtow/ljhFvCFipfbNtm:PYqX9VxCJ8U/3F5zNt

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

80.66.75.114

45.91.200.135

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2668	tmp2EE.tmp.exe
2840	OSRqTouTi.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	tmp2EE.tmp.exe
2668	tmp2EE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2EE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2944	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	file.exe
Token: SeDebugPrivilege	2944	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2668	2080	file.exe	30
PID 2080 wrote to memory of 2668	2080	file.exe	30
PID 2080 wrote to memory of 2668	2080	file.exe	30
PID 2080 wrote to memory of 2668	2080	file.exe	30
PID 2668 wrote to memory of 2840	2668	tmp2EE.tmp.exe	31
PID 2668 wrote to memory of 2840	2668	tmp2EE.tmp.exe	31
PID 2668 wrote to memory of 2840	2668	tmp2EE.tmp.exe	31
PID 2668 wrote to memory of 2840	2668	tmp2EE.tmp.exe	31
PID 2668 wrote to memory of 2120	2668	tmp2EE.tmp.exe	33
PID 2668 wrote to memory of 2120	2668	tmp2EE.tmp.exe	33
PID 2668 wrote to memory of 2120	2668	tmp2EE.tmp.exe	33
PID 2668 wrote to memory of 2120	2668	tmp2EE.tmp.exe	33
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2944	2120	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\KXF4F\OSRqTouTi.exe
    "C:\Users\Admin\AppData\Roaming\KXF4F\OSRqTouTi.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "tmp2EE.tmp.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "tmp2EE.tmp.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2EE.tmp.exe

Filesize
334KB

MD5
bdf38f58675cd77401c679df69c4a3e8

SHA1
298dac0330058235adec1bd5dd80c59f99c688af

SHA256
08dc5b0fb0c2646f546f0af389c3c9934995f1cf6819a05c171db3eca242554d

SHA512
fa056f5784c76252db3edff2f0ba060b2ac42fbb2c73fedaa076ba735b2f19c14b7feff69f6794f0108c98fe91764e4d45110459e87df68a072a78f212a363c1

Download Submit
\Users\Admin\AppData\Local\Temp\6y0ZrHyuYBxFxGOIOP51v84Nv\Y-Cleaner.exe

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
\Users\Admin\AppData\Roaming\KXF4F\OSRqTouTi.exe

Filesize
4KB

MD5
f328a95046e3a2514c36347eaec911c0

SHA1
8ec9c18384ca1e08a397bf7b3d46b6d784669ef0

SHA256
d55e86610dcad29c3d2857d9dae91aa51228b1fa001ea2d7bda88b9a2b5570a9

SHA512
2fc3621433c5da3dcb5b9d9133cd9d63d8f53fd60c81ddab8b83bad60efb98942fc38a63dfa98edfc8358c8e4e345a7ec8fa3aa14c18d4337cdd90ea0aed4718

Download Submit
memory/2080-0-0x000007FEF5FE3000-0x000007FEF5FE4000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2080-2-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2080-10-0x000007FEF5FE0000-0x000007FEF69CC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-19-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2668-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-13-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2668-30-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2668-31-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2668-34-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2668-12-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2668-42-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-43-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2668-41-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2840-28-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing