Analysis
-
max time kernel
82s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-04-2023 10:26
General
-
Target
8d1e8eeb17c8e574ba2664946feee2a9.exe
-
Size
339KB
-
MD5
8d1e8eeb17c8e574ba2664946feee2a9
-
SHA1
b9e1c453b4bd07752b1b522d8e2d7e81b54cb5b9
-
SHA256
8ec576ddd5ac76cdc35aeeba67ee062c9ed33eafbbbf97a25a65d4076e99591b
-
SHA512
453e00f4c5e5e6c07eb028efa20a56b4dc61b49f35d401d23d1f55ce37750874aa53a076c84d026b56c8957c153e47b256216ef902be689ad87873e49d9cf49b
-
SSDEEP
6144:0D+8a6cEaL3kNUMfITkRpZSEWYPMIukcSWd+1:0D+8ahZL3kNUU1SaTcSH
Score
10/10
Malware Config
Extracted
Family
gcleaner
C2
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Signatures
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Downloads MZ/PE file
-
Program crash 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1e8eeb17c8e574ba2664946feee2a9.exe"C:\Users\Admin\AppData\Local\Temp\8d1e8eeb17c8e574ba2664946feee2a9.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 7402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 8122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 9562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 13202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 14842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 15842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 14802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 15242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 14922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3684 -ip 36841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3684 -ip 36841⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3684-134-0x0000000002430000-0x0000000002470000-memory.dmpFilesize
256KB
-
memory/3684-135-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB
-
memory/3684-141-0x0000000000400000-0x0000000000809000-memory.dmpFilesize
4.0MB