gcleaner | faeffb395139b51e0c53f62d7103bc8cdda88fcb719b51a83d81efd627a9aca6

Analysis

max time kernel
136s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16a9bd684974d09703804d773e0252a2.exe
Size

433KB
MD5

16a9bd684974d09703804d773e0252a2
SHA1

6b5d36a88c0a98e0d211f99ef55ca6eb40e9dfb0
SHA256

faeffb395139b51e0c53f62d7103bc8cdda88fcb719b51a83d81efd627a9aca6
SHA512

b8e3feee0db24650a489a4df908ad48c53966da160b4e99124998afced24647793d1ea6fe7a193df4d9673b690eab906347f78852d8f84ef18fbe2b9b4ce0898
SSDEEP

6144:w5TWB/lIhQsQ8BO57QNG4C1FS0WV98NDS96sVo8tGUKuSDCV+E:w5OtvsQ8E576CrrWH4qw5CVr

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4080	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
508	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
856	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
2932	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
2728	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
952	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
212	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
4280	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
4268	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
4564	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
4008	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
1264	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe
2296	4496	WerFault.exe	16a9bd684974d09703804d773e0252a2.exe

C:\Users\Admin\AppData\Local\Temp\16a9bd684974d09703804d773e0252a2.exe
"C:\Users\Admin\AppData\Local\Temp\16a9bd684974d09703804d773e0252a2.exe"
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 744
2⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 744
2⤵
- Program crash
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 744
2⤵
- Program crash
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 788
2⤵
- Program crash
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 904
2⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1000
2⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1132
2⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1500
2⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1588
2⤵
- Program crash
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1768
2⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1764
2⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1600
2⤵
- Program crash
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1540
2⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4496 -ip 4496
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4496 -ip 4496
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4496 -ip 4496
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4496 -ip 4496
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4496 -ip 4496
1⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4496 -ip 4496
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4496 -ip 4496
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4496 -ip 4496
1⤵
PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4496-134-0x0000000002580000-0x00000000025C1000-memory.dmp

Filesize
260KB

Download
memory/4496-135-0x0000000000400000-0x0000000000811000-memory.dmp

Filesize
4.1MB

Download
memory/4496-141-0x0000000000400000-0x0000000000811000-memory.dmp

Filesize
4.1MB

Download