gcleaner | ae52e6d9df3f7f2bae2499da61be04c9c42bc50ec906a4ee4119bc8ba156b547

Analysis

max time kernel
61s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
Size

353KB
MD5

c403333de741e184676165718fcf7111
SHA1

fe1b3ebe150c6eeba997cb6d00cba91afe50c075
SHA256

d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989
SHA512

cef497cf8128fafc1ca28164a0ec8a68de7f3d825178ad627f20a183c4e0bea0eb2b30f8a76c9e6f30ad559860e92f920d5b2b94afc10fdc96dabe45d3cc21e8
SSDEEP

6144:mk297oIiDDagb4XCpEHMnc6C65z6Gr5W/iNN4T:X297viDGgb4X7HcVX5z6Gr5dN

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2488	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
2200	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
2324	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
2136	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
4464	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
1972	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
4772	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
3592	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
4292	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
1396	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
408	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
3284	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
3412	3712	WerFault.exe	d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe

C:\Users\Admin\AppData\Local\Temp\d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe
"C:\Users\Admin\AppData\Local\Temp\d05faa3accafd17c997f954412a861208477f3deb4a60e8154b8a75aaac05989.exe"
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 740
2⤵
- Program crash
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 760
2⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 760
2⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 740
2⤵
- Program crash
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 904
2⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 980
2⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1004
2⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1496
2⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1596
2⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1748
2⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1560
2⤵
- Program crash
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1616
2⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1748
2⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3712 -ip 3712
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3712 -ip 3712
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3712 -ip 3712
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3712 -ip 3712
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3712 -ip 3712
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3712 -ip 3712
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3712 -ip 3712
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3712 -ip 3712
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3712 -ip 3712
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3712 -ip 3712
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3712 -ip 3712
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3712 -ip 3712
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3712 -ip 3712
1⤵
PID:4904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3712-134-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/3712-138-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download
memory/3712-141-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download