gcleaner | 5676399d2044685dc3e19b7f7be2e1c105cea80eb1c4b2f7ce0fc6d7424135ba

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2023, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
Size

287KB
MD5

b5b84cab9d28675874e2365f7159cc72
SHA1

3e2cf75b737a19516e0acc6971aea13def5abc37
SHA256

a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98
SHA512

d732ccf937dedffb52226dc6c2496d9ada8307b885e680390db7cd3c1bc025d81eb64c488314b5bcd3f90b628d05e883bba24907755228c63ae064bb920c0e41
SSDEEP

6144:pfuYGCtr7u++PgfwNvxv2i/lXQasp2gQPN/xM:0YGWu+jwNvl/lAasa1

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2144	4452	WerFault.exe	83
4396	4452	WerFault.exe	83
3392	4452	WerFault.exe	83
1524	4452	WerFault.exe	83
2632	4452	WerFault.exe	83
116	4452	WerFault.exe	83
32	4452	WerFault.exe	83
4644	4452	WerFault.exe	83
2192	4452	WerFault.exe	83
4480	4452	WerFault.exe	83
1672	4452	WerFault.exe	83
4912	4452	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
"C:\Users\Admin\AppData\Local\Temp\a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe"
1⤵
PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 740
  2⤵
  - Program crash
  PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 760
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 760
  2⤵
  - Program crash
  PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 840
  2⤵
  - Program crash
  PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 904
  2⤵
  - Program crash
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 912
  2⤵
  - Program crash
  PID:116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1320
  2⤵
  - Program crash
  PID:32
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1484
  2⤵
  - Program crash
  PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1564
  2⤵
  - Program crash
  PID:2192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1528
  2⤵
  - Program crash
  PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1540
  2⤵
  - Program crash
  PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1492
  2⤵
  - Program crash
  PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4452 -ip 4452
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4452 -ip 4452
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4452 -ip 4452
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4452 -ip 4452
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4452 -ip 4452
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4452 -ip 4452
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4452 -ip 4452
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4452 -ip 4452
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4452 -ip 4452
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4452 -ip 4452
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4452 -ip 4452
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4452 -ip 4452
1⤵
PID:3368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4452-134-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/4452-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4452-142-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads