gcleaner | 209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d

Analysis

max time kernel
115s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbc42d76c05b9e89b481b7bcbaf259d1.exe
Size

280KB
MD5

cbc42d76c05b9e89b481b7bcbaf259d1
SHA1

8d1990ca06305c8a4bd206ffd2b1ca75e11b68f7
SHA256

209fdb1e0d3624b400c9c6d348c05a92062c8cb771d240f1d490a7b1a631b80d
SHA512

34f331d9abc5c4df286ecdde9f09447e82344f35efc3a8be2d802805a909ca92a6721f44d5249c631b1d67fcbf093e2f4b71907a33bea9d12ba2e5dc086e50c6
SSDEEP

6144:3c7qjHl2c2Dq4CEKf2wxHe9ExV9uTeNxT:3YqRjVx+EYEgi

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1340	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
988	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
1800	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
3972	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
2116	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
4492	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
4100	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
2708	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
688	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
4244	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
1840	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
4940	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe
3692	4264	WerFault.exe	cbc42d76c05b9e89b481b7bcbaf259d1.exe

C:\Users\Admin\AppData\Local\Temp\cbc42d76c05b9e89b481b7bcbaf259d1.exe
"C:\Users\Admin\AppData\Local\Temp\cbc42d76c05b9e89b481b7bcbaf259d1.exe"
1⤵
PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 740
  2⤵
  - Program crash
  PID:1340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 760
  2⤵
  - Program crash
  PID:988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 760
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 812
  2⤵
  - Program crash
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 904
  2⤵
  - Program crash
  PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 980
  2⤵
  - Program crash
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1048
  2⤵
  - Program crash
  PID:4100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1500
  2⤵
  - Program crash
  PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1584
  2⤵
  - Program crash
  PID:688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1752
  2⤵
  - Program crash
  PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1604
  2⤵
  - Program crash
  PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1744
  2⤵
  - Program crash
  PID:4940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1792
  2⤵
  - Program crash
  PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4264 -ip 4264
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4264 -ip 4264
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4264 -ip 4264
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4264 -ip 4264
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4264 -ip 4264
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4264 -ip 4264
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4264 -ip 4264
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4264 -ip 4264
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4264 -ip 4264
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4264 -ip 4264
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4264 -ip 4264
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4264 -ip 4264
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264
1⤵
PID:3344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4264-134-0x0000000000580000-0x00000000005C0000-memory.dmp

Filesize
256KB

Download
memory/4264-140-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download