gcleaner | 232c541e2a191a25b874cd8def1b41c023ae0b06b408b9db60e1055f38a7fc8c

Analysis

max time kernel
70s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
Size

404KB
MD5

c72d0a13d76f6cbb713922b5b48e2d3f
SHA1

32ec79cddbcc637fff8bc9aeb730ceb3f249e6b3
SHA256

f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372
SHA512

d370f238f60e1f772804715d6c55731433d7357d32ac692f8d7f1fa66ffadbd94aebc5542df3a402e89e95e43828a67fecf22c0e040c4f5c5e830d3338b2e9e6
SSDEEP

3072:BPGFHcVVF6fNgGCR4QinHZCdh+6qM3wG//xuFoqy1Ib7jYuVrrcaCNoe3dM3dNBb:pUHcLF6TL6/89MOY0CiRBC1qj0

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3516	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
2840	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
4764	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
1828	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
4168	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
2880	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
1696	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
2204	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
2888	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
1168	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
4044	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
3012	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
1536	1916	WerFault.exe	f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe

C:\Users\Admin\AppData\Local\Temp\f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe
"C:\Users\Admin\AppData\Local\Temp\f04f7c4388d063e19fdd1a7a9661c7e74294a5db335d4981cfda0abd7a158372.exe"
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 740
2⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 748
2⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 748
2⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 784
2⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 904
2⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 980
2⤵
- Program crash
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1320
2⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1508
2⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1728
2⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1580
2⤵
- Program crash
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1572
2⤵
- Program crash
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1772
2⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1764
2⤵
- Program crash
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1916 -ip 1916
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1916 -ip 1916
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1916 -ip 1916
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1916 -ip 1916
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1916 -ip 1916
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1916 -ip 1916
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1916 -ip 1916
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1916 -ip 1916
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1916 -ip 1916
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1916 -ip 1916
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1916 -ip 1916
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1916 -ip 1916
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1916 -ip 1916
1⤵
PID:3704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1916-134-0x0000000004020000-0x0000000004060000-memory.dmp

Filesize
256KB

Download
memory/1916-142-0x0000000000400000-0x00000000022CE000-memory.dmp

Filesize
30.8MB

Download