gcleaner | 5a454dbfc4aa1189324c2b5942b671bd2f8908a12070ddeec1cb78b97193f6fd

Analysis

max time kernel
88s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29f01b4e7cdb40b17ed55805b7ccc1ac.exe
Size

382KB
MD5

29f01b4e7cdb40b17ed55805b7ccc1ac
SHA1

665dbe9c0f7be9088ac9a11180cbbf14ae9db60e
SHA256

5a454dbfc4aa1189324c2b5942b671bd2f8908a12070ddeec1cb78b97193f6fd
SHA512

880f0dddb4ec1ed7527ebbfbec1f6e4abe0eb396fedf03588342b189ee9c48b9528a84e5735d4dfe47bb1881032cee539e88aa499cc71c56f9d272a18fd5d3ea
SSDEEP

6144:3kvGi5m8vUzU+Yk44jqbJxeNnQvjM+ZAyvdkiUW:3kvp5wQYjSxeNiAFiUW

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4708	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
4124	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
5092	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
2348	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
400	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
4680	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
4312	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
2876	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
4364	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
1800	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
2096	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe
4840	3088	WerFault.exe	29f01b4e7cdb40b17ed55805b7ccc1ac.exe

C:\Users\Admin\AppData\Local\Temp\29f01b4e7cdb40b17ed55805b7ccc1ac.exe
"C:\Users\Admin\AppData\Local\Temp\29f01b4e7cdb40b17ed55805b7ccc1ac.exe"
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 744
2⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 784
2⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 760
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 768
2⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 904
2⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1000
2⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1312
2⤵
- Program crash
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1496
2⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1564
2⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1772
2⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1596
2⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1480
2⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3088 -ip 3088
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3088 -ip 3088
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3088 -ip 3088
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3088 -ip 3088
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3088 -ip 3088
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3088 -ip 3088
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3088 -ip 3088
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3088 -ip 3088
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3088 -ip 3088
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3088 -ip 3088
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3088 -ip 3088
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3088 -ip 3088
1⤵
PID:4428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3088-134-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/3088-135-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/3088-142-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download