gcleaner | 5676399d2044685dc3e19b7f7be2e1c105cea80eb1c4b2f7ce0fc6d7424135ba

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
Size

287KB
MD5

b5b84cab9d28675874e2365f7159cc72
SHA1

3e2cf75b737a19516e0acc6971aea13def5abc37
SHA256

a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98
SHA512

d732ccf937dedffb52226dc6c2496d9ada8307b885e680390db7cd3c1bc025d81eb64c488314b5bcd3f90b628d05e883bba24907755228c63ae064bb920c0e41
SSDEEP

6144:pfuYGCtr7u++PgfwNvxv2i/lXQasp2gQPN/xM:0YGWu+jwNvl/lAasa1

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2144	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
4396	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
3392	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
1524	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
2632	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
116	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
32	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
4644	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
2192	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
4480	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
1672	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
4912	4452	WerFault.exe	a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe

C:\Users\Admin\AppData\Local\Temp\a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe
"C:\Users\Admin\AppData\Local\Temp\a8604d1185e93f54fca91fb6658e865f3ef22c0ddd7710c30ec940ebbc4fdd98.exe"
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 740
2⤵
- Program crash
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 760
2⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 760
2⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 840
2⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 904
2⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 912
2⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1320
2⤵
- Program crash
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1484
2⤵
- Program crash
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1564
2⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1528
2⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1540
2⤵
- Program crash
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1492
2⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4452 -ip 4452
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4452 -ip 4452
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4452 -ip 4452
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4452 -ip 4452
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4452 -ip 4452
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4452 -ip 4452
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4452 -ip 4452
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4452 -ip 4452
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4452 -ip 4452
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4452 -ip 4452
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4452 -ip 4452
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4452 -ip 4452
1⤵
PID:3368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4452-134-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/4452-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4452-142-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download