gcleaner | 882c26437f13e0ac3047c698101b57d9028e4df372715ed0c037d64318235fea

Analysis

max time kernel
98s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8af9112cb979e7cf803a1130dc21ee5.exe
Size

266KB
MD5

d8af9112cb979e7cf803a1130dc21ee5
SHA1

5442002b1356a058c8df09ae9a3fe64d5a697e2b
SHA256

882c26437f13e0ac3047c698101b57d9028e4df372715ed0c037d64318235fea
SHA512

c8d16219800e3df028f7449f3fdbc9bf830d3952951f37cabcc11c4695ef7ce095c3a756cc758adc3a168beb07ecf355049d8f9df905360226ea30b4269e5307
SSDEEP

6144:228WoGDd4/d3RP4rZh82exQ4m14jcu7z9ykO:U18sYrXia43IQByk

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1232	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
1800	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
1964	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
3640	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
1856	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
2200	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
3620	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
4336	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
1488	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
4500	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
2076	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
4960	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe
3900	3128	WerFault.exe	d8af9112cb979e7cf803a1130dc21ee5.exe

C:\Users\Admin\AppData\Local\Temp\d8af9112cb979e7cf803a1130dc21ee5.exe
"C:\Users\Admin\AppData\Local\Temp\d8af9112cb979e7cf803a1130dc21ee5.exe"
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 740
2⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 748
2⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 748
2⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 812
2⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 904
2⤵
- Program crash
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 912
2⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1320
2⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1520
2⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1556
2⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1736
2⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1568
2⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1724
2⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1528
2⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3128 -ip 3128
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3128 -ip 3128
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3128 -ip 3128
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3128 -ip 3128
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3128 -ip 3128
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3128 -ip 3128
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3128 -ip 3128
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3128 -ip 3128
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3128 -ip 3128
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3128 -ip 3128
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3128 -ip 3128
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3128 -ip 3128
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3128 -ip 3128
1⤵
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-134-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/3128-140-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download