gcleaner | f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372

Analysis

max time kernel
73s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72d0a13d76f6cbb713922b5b48e2d3f.exe
Size

404KB
MD5

c72d0a13d76f6cbb713922b5b48e2d3f
SHA1

32ec79cddbcc637fff8bc9aeb730ceb3f249e6b3
SHA256

f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372
SHA512

d370f238f60e1f772804715d6c55731433d7357d32ac692f8d7f1fa66ffadbd94aebc5542df3a402e89e95e43828a67fecf22c0e040c4f5c5e830d3338b2e9e6
SSDEEP

3072:BPGFHcVVF6fNgGCR4QinHZCdh+6qM3wG//xuFoqy1Ib7jYuVrrcaCNoe3dM3dNBb:pUHcLF6TL6/89MOY0CiRBC1qj0

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5064	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
1328	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
2864	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
1552	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
1776	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
3032	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
228	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
3312	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
8	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
1120	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
2908	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
856	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe
3376	4604	WerFault.exe	c72d0a13d76f6cbb713922b5b48e2d3f.exe

C:\Users\Admin\AppData\Local\Temp\c72d0a13d76f6cbb713922b5b48e2d3f.exe
"C:\Users\Admin\AppData\Local\Temp\c72d0a13d76f6cbb713922b5b48e2d3f.exe"
1⤵
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 740
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 748
  2⤵
  - Program crash
  PID:1328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 768
  2⤵
  - Program crash
  PID:2864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 752
  2⤵
  - Program crash
  PID:1552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 904
  2⤵
  - Program crash
  PID:1776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1000
  2⤵
  - Program crash
  PID:3032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1068
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1512
  2⤵
  - Program crash
  PID:3312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1548
  2⤵
  - Program crash
  PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1776
  2⤵
  - Program crash
  PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1560
  2⤵
  - Program crash
  PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1552
  2⤵
  - Program crash
  PID:856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1784
  2⤵
  - Program crash
  PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4604 -ip 4604
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4604 -ip 4604
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4604 -ip 4604
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4604 -ip 4604
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4604 -ip 4604
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4604 -ip 4604
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4604 -ip 4604
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4604 -ip 4604
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4604 -ip 4604
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4604 -ip 4604
1⤵
PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4604-134-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/4604-140-0x0000000000400000-0x00000000022CE000-memory.dmp

Filesize
30.8MB

Download