gcleaner | 5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5

Analysis

max time kernel
131s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
Size

273KB
MD5

0d24d4aedee36f50cce13572c0586fed
SHA1

c7ff14407d46d06bed3a7b47b1170adfedc50f92
SHA256

5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5
SHA512

8c3294fadd2e3704cac9bb60a0761a3ab09287ce860d82682afc52cc8770085458c973a2bb0f54da067b955e80ab6454e5cdb98f1b4d31d46b327813e6963307
SSDEEP

3072:PvcWbfZpjSG9n/jJh0iMPx8ssSfG8wfWgbRgn3EAPAsaKPDZaPjJwhKIgY:HLbS0JhCPx8Y2fWgVKEyHjPDZaGhK

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

185.172.128.69

Attributes

url_path
/advdlc.php

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2160	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
4436	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
740	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
644	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
3812	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
1708	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
1676	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
5012	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
1984	1480	WerFault.exe	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4528 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 4528 taskkill.exe

pid	process
4528	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4528	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.execmd.exe

description	pid	process	target process
PID 1480 wrote to memory of 5024	1480	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe	cmd.exe
PID 1480 wrote to memory of 5024	1480	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe	cmd.exe
PID 1480 wrote to memory of 5024	1480	5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe	cmd.exe
PID 5024 wrote to memory of 4528	5024	cmd.exe	taskkill.exe
PID 5024 wrote to memory of 4528	5024	cmd.exe	taskkill.exe
PID 5024 wrote to memory of 4528	5024	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe
"C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 740
2⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 760
2⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 760
2⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 780
2⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 904
2⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 980
2⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1008
2⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1356
2⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5b34b4176da2eb96e16532906213683b967f950423d74740fcc2979b6f8f4fe5.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1368
2⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1480 -ip 1480
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1480 -ip 1480
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1480 -ip 1480
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1480 -ip 1480
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1480 -ip 1480
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1480 -ip 1480
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1480 -ip 1480
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1480 -ip 1480
1⤵
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\advdlc[1].htm
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/1480-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-2-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/1480-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1480-4-0x0000000000400000-0x0000000002BFD000-memory.dmp

Filesize
40.0MB

Download
memory/1480-6-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1480-12-0x0000000000400000-0x0000000002BFD000-memory.dmp

Filesize
40.0MB

Download
memory/1480-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-24-0x0000000000400000-0x0000000002BFD000-memory.dmp

Filesize
40.0MB

Download