Overview

overview

10

Static

static

3

e6a1c97a26...7f.exe

windows7-x64

10

e6a1c97a26...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6a1c97a26a0901473f9ca53cd39967f.exe

  • Size

    1.9MB

  • MD5

    e6a1c97a26a0901473f9ca53cd39967f

  • SHA1

    16d060d65114d89e9c2ee5516be1c4c95f60d39e

  • SHA256

    3ed31a41ff5e2ffec4dba349fb5fd434eebc72d1426eb0a220b22e5ededaae23

  • SHA512

    125fc67e0ac04015d3cc765050ecb8c9b1cc18c8177ffdcce7f36a9e1aeebe7bbfa5aef6a81c6ce7a6f2b10b0ac0db57642f0262d7bdc60ae264aaf02e2899b5

  • SSDEEP

    49152:r2Oz9lIo5WQm5OlTRxYnykwh8tSch0rKK57d6+:rBzrUwhGSaydFd6

Score
10/10
gcleanerdiscoveryevasionloader

Malware Config

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6a1c97a26a0901473f9ca53cd39967f.exe
    "C:\Users\Admin\AppData\Local\Temp\e6a1c97a26a0901473f9ca53cd39967f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1384
      2⤵
      • Program crash
      PID:2148
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2428 -ip 2428
    1⤵
      PID:3372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\download[1].htm
      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

      Download Submit

    • memory/2428-2-0x0000000000401000-0x0000000000426000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2428-6-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-17-0x0000000000401000-0x0000000000426000-memory.dmp

      Filesize

      148KB

      Download

    • memory/2428-0-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-18-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-7-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-11-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2428-20-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-4-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-3-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-15-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2428-22-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-27-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-33-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-39-0x0000000000400000-0x0000000000C78000-memory.dmp

      Filesize

      8.5MB

      Download

    • memory/2428-40-0x0000000000401000-0x0000000000426000-memory.dmp

      Filesize

      148KB

      Download