gcleaner | 76c09437c0f32f5fc18900988f5658c61635c16dc8c42628aadddf3fb4eca2a3

Analysis

max time kernel
62s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
Size

323KB
MD5

4654d5533c4a669a238b47dbb0fc50a3
SHA1

539d6e7d186315b27fd7b77957b488960cb5708b
SHA256

db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791
SHA512

b45773ed88ec4016e5e9e67550a7258e464e78080575d92a88f3be9688db719e7f9e60a77d71949c6966725a29df02d801a8b37dec47d68b837c356e6b3ab1ec
SSDEEP

6144:AH13WD3tpBSB8coYJUTVxTOQeDp64Rotto/+qfsqpc:AV3g3t6BDoYJOBeDp6kpK

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4944	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
2376	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
2552	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
4052	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
3848	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
1640	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
4688	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
1516	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
3368	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
5040	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
5064	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
2608	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
4252	628	WerFault.exe	db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe

C:\Users\Admin\AppData\Local\Temp\db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe
"C:\Users\Admin\AppData\Local\Temp\db396e0845fb4e19743f8cc0c1233f21f14a20cdf5f5c2b65b4e4d7f2a3f8791.exe"
1⤵
PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 740
  2⤵
  - Program crash
  PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 748
  2⤵
  - Program crash
  PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 764
  2⤵
  - Program crash
  PID:2552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 772
  2⤵
  - Program crash
  PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 904
  2⤵
  - Program crash
  PID:3848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1008
  2⤵
  - Program crash
  PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 920
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1496
  2⤵
  - Program crash
  PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1600
  2⤵
  - Program crash
  PID:3368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1776
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1568
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1604
  2⤵
  - Program crash
  PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1740
  2⤵
  - Program crash
  PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 628 -ip 628
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 628 -ip 628
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 628 -ip 628
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 628 -ip 628
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 628 -ip 628
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 628 -ip 628
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 628 -ip 628
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 628 -ip 628
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 628 -ip 628
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 628
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 628 -ip 628
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 628
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 628
1⤵
PID:4484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-134-0x0000000002540000-0x0000000002580000-memory.dmp

Filesize
256KB

Download
memory/628-140-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download