gcleaner | 6d2016e9d9252c1025080f601edbd0709b99066c87550206914dda9cea247c5d

Analysis

max time kernel
101s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

008380199.exe
Size

328KB
MD5

0837b113c5c34a669e0152706b8c2e18
SHA1

78df15d15e884ce84868699ee80b32f5bc5625ed
SHA256

6d2016e9d9252c1025080f601edbd0709b99066c87550206914dda9cea247c5d
SHA512

d96e44b81c19c4412dd067652d0b2571f9a516b528d12ca87c356fdfdf0f711fb4b71a7123c7f1d638c373f17d2c0962dfeb5a2a1912fcec339732917b4bb8b7
SSDEEP

6144:m4Nn6UY0IrEykmebULBBBVIGwZAis4Vz1R0utVZT:mQ6UxIgyqQBBBwjzImD

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

pid	pid_target	Process	procid_target
700	4912	WerFault.exe	82
1300	4912	WerFault.exe	82
4992	4912	WerFault.exe	82
1512	4912	WerFault.exe	82
5104	4912	WerFault.exe	82
3124	4912	WerFault.exe	82
4548	4912	WerFault.exe	82
3676	4912	WerFault.exe	82

C:\Users\Admin\AppData\Local\Temp\008380199.exe
"C:\Users\Admin\AppData\Local\Temp\008380199.exe"
1⤵
PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 740
  2⤵
  - Program crash
  PID:700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 748
  2⤵
  - Program crash
  PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 748
  2⤵
  - Program crash
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 832
  2⤵
  - Program crash
  PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 904
  2⤵
  - Program crash
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 980
  2⤵
  - Program crash
  PID:3124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 980
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 972
  2⤵
  - Program crash
  PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4912 -ip 4912
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4912 -ip 4912
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4912 -ip 4912
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4912 -ip 4912
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4912 -ip 4912
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4912 -ip 4912
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4912 -ip 4912
1⤵
PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4912-134-0x00000000022F0000-0x0000000002332000-memory.dmp

Filesize
264KB

Download
memory/4912-135-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/4912-136-0x00000000022F0000-0x0000000002332000-memory.dmp

Filesize
264KB

Download
memory/4912-138-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads