gcleaner | 91ebf3d6754fa3615c27f003cadc820d0f22d15eb43c1991da905d50f871805d

Analysis

max time kernel
61s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a71b6a7f7c140a7b3a8a9112f86318.exe
Size

267KB
MD5

21a71b6a7f7c140a7b3a8a9112f86318
SHA1

0efef77ebe958a59dde953e75d39725e7efb5c96
SHA256

91ebf3d6754fa3615c27f003cadc820d0f22d15eb43c1991da905d50f871805d
SHA512

b7113928258896d5d9ddaf1fbbc676057cab34e672f01931b208d975fceac75e2f9d970e8b643de6f3c3e21111fbc6f000780fe05032e746bf00d95604dd53da
SSDEEP

3072:kG284CxTIuluIbCETuXsP2o/AF4OGxgpKiYYFm9caiCjQ+9argtKuDlY:N28Dd8WJfP2tFwfp1iC8+9VtJY

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3820	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
3488	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
1512	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
4788	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
4220	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
4444	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
1836	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
2212	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
2648	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
3576	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe
4948	2160	WerFault.exe	21a71b6a7f7c140a7b3a8a9112f86318.exe

C:\Users\Admin\AppData\Local\Temp\21a71b6a7f7c140a7b3a8a9112f86318.exe
"C:\Users\Admin\AppData\Local\Temp\21a71b6a7f7c140a7b3a8a9112f86318.exe"
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 740
2⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 760
2⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 780
2⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 816
2⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 928
2⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 932
2⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1080
2⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1500
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1512
2⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1568
2⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1556
2⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2160 -ip 2160
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2160 -ip 2160
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2160 -ip 2160
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2160 -ip 2160
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2160 -ip 2160
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2160 -ip 2160
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2160 -ip 2160
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2160 -ip 2160
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2160 -ip 2160
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2160 -ip 2160
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2160 -ip 2160
1⤵
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-134-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/2160-140-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2160-141-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download