gcleaner | b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d

General

Target

b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe
Size

2.0MB
MD5

6934d931450f98f4ed12f881040a313b
SHA1

efbf96a7484b17c37adbae865e3e81e9a1634dd7
SHA256

b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d
SHA512

72fbf2f66eb63f4c2e1fbb79fe9869682de06d2d347db78aaa90668940329032d4baa9570c4987fc6f0dac8c4b9e1b10b43468ae7f7fdf002515c86ae2a5f270
SSDEEP

49152:6inmpGptWc5epmDBBgKNSjg1N0hd20x0LgwjLX/nvYX0mj:6inDHF2Kkjg1Whd2jzjLvvYD

Score

10^/10

gcleaner discovery loader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Executes dropped EXE 3 IoCs

Processes:

is-3TTSP.tmpSplitFiles127.exeguroQ.exe

pid process

4956 is-3TTSP.tmp
3012 SplitFiles127.exe
3388 guroQ.exe
Loads dropped DLL 1 IoCs

Processes:

is-3TTSP.tmp

pid process

4956 is-3TTSP.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4956	is-3TTSP.tmp
3012	SplitFiles127.exe
3388	guroQ.exe

pid	process
4956	is-3TTSP.tmp

Drops file in Program Files directory 17 IoCs

Processes:

is-3TTSP.tmp

description	ioc	process
File created	C:\Program Files (x86)\Split Files\unins000.dat	is-3TTSP.tmp
File opened for modification	C:\Program Files (x86)\Split Files\unins000.dat	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-7VFDL.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-F6TS8.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\is-5OH56.tmp	is-3TTSP.tmp
File opened for modification	C:\Program Files (x86)\Split Files\SplitFiles127.exe	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\is-HEP9H.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\is-N43OP.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-5BIUP.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-J8VB5.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\is-4PFBT.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\is-P8ATD.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-E4S89.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-B4SF6.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-M8PIA.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-2NLK6.tmp	is-3TTSP.tmp
File created	C:\Program Files (x86)\Split Files\language\is-A1L8Q.tmp	is-3TTSP.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exeis-3TTSP.tmpSplitFiles127.exeguroQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-3TTSP.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplitFiles127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guroQ.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SplitFiles127.exe

pid process

3012 SplitFiles127.exe
3012 SplitFiles127.exe
3012 SplitFiles127.exe
3012 SplitFiles127.exe
3012 SplitFiles127.exe
3012 SplitFiles127.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SplitFiles127.exe

pid process

3012 SplitFiles127.exe

pid	process
3012	SplitFiles127.exe
3012	SplitFiles127.exe
3012	SplitFiles127.exe
3012	SplitFiles127.exe
3012	SplitFiles127.exe
3012	SplitFiles127.exe

pid	process
3012	SplitFiles127.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exeis-3TTSP.tmpSplitFiles127.exe

description	pid	process	target process
PID 4892 wrote to memory of 4956	4892	b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe	is-3TTSP.tmp
PID 4892 wrote to memory of 4956	4892	b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe	is-3TTSP.tmp
PID 4892 wrote to memory of 4956	4892	b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe	is-3TTSP.tmp
PID 4956 wrote to memory of 3012	4956	is-3TTSP.tmp	SplitFiles127.exe
PID 4956 wrote to memory of 3012	4956	is-3TTSP.tmp	SplitFiles127.exe
PID 4956 wrote to memory of 3012	4956	is-3TTSP.tmp	SplitFiles127.exe
PID 3012 wrote to memory of 3388	3012	SplitFiles127.exe	guroQ.exe
PID 3012 wrote to memory of 3388	3012	SplitFiles127.exe	guroQ.exe
PID 3012 wrote to memory of 3388	3012	SplitFiles127.exe	guroQ.exe

C:\Users\Admin\AppData\Local\Temp\b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe
"C:\Users\Admin\AppData\Local\Temp\b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\is-010QN.tmp\is-3TTSP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-010QN.tmp\is-3TTSP.tmp" /SL4 $70246 "C:\Users\Admin\AppData\Local\Temp\b42a7d85d7353d56a810e4de437ba65e108d38e8098a408fd491ec96576a362d.exe" 1781230 209408
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Program Files (x86)\Split Files\SplitFiles127.exe
    "C:\Program Files (x86)\Split Files\SplitFiles127.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Roaming\{8b5c0330-510d-11ef-ac57-806e6f6e6963}\guroQ.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Split Files\SplitFiles127.exe

Filesize
3.3MB

MD5
cf3090e3b1ef89b074a1abc416b264f0

SHA1
c15b5c72185c43d1e3aa4e3727e579fccfba1906

SHA256
3e0cc394d2ecaea0002e3303beb4465604a7d44670cd5752d44d107ca733bc2c

SHA512
40bde43cef15b70df1c9e194df25b91abfa9d4b5c7bdb0d25b757404725f0ef0f705b985dde78522fc2bfb0bd1e419dc339a76c201ccafb3d48c02a00b606c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-010QN.tmp\is-3TTSP.tmp

Filesize
798KB

MD5
00081e3866e7683ce75741b46d1c4606

SHA1
6652d800b30240d6d251fd65d8b44f0cf7b0bbee

SHA256
22aff95c972dce3e96efb036fd09de545601cff2de586273033cf3364ee27c4b

SHA512
97cf5be40c6b54c9f937b610a6a9e0d43c44c802913b3bbeea2bf38b3d9e112fa7302c46cf785b00d2527480b8f3e712cce1055915a1d1b908e317f9da8d6c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BS15N.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Roaming\{8b5c0330-510d-11ef-ac57-806e6f6e6963}\guroQ.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/3012-49-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/3012-50-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/3012-51-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/3012-59-0x0000000000400000-0x000000000154F000-memory.dmp

Filesize
17.3MB

Download
memory/4892-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4892-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/4892-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4956-9-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4956-56-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads