gcleaner | a77732ddffe3379c1637253174c4ee2f4b6b3f619efcee3bc2e9da2f39608bd2

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71dff14ffdc3e09c404c2a55e84430ff.exe
Size

266KB
MD5

71dff14ffdc3e09c404c2a55e84430ff
SHA1

bd4f363cfa68f9988c38c4c5bb08935081486ec0
SHA256

a77732ddffe3379c1637253174c4ee2f4b6b3f619efcee3bc2e9da2f39608bd2
SHA512

e15f76b7fb10cdd29f95c64162ec76b549c6a17e6b5cc821f51f28470b71ed735c5fc29303db9e4a0dc9dec66a0d84bb7de2ac06674747f99febaedfad4a9169
SSDEEP

3072:4wvy57PHN2Zl7uToLz8UxzD80+djrEnHWGYaaSKDrj206FqvPuMS2L5YW5uub:WPHN2PqToLAa80yXm2GzPGu06cvPuMu

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2348	5012	WerFault.exe	82
4952	5012	WerFault.exe	82
548	5012	WerFault.exe	82
4704	5012	WerFault.exe	82
4884	5012	WerFault.exe	82
4760	5012	WerFault.exe	82
2560	5012	WerFault.exe	82
4488	5012	WerFault.exe	82
3736	5012	WerFault.exe	82
432	5012	WerFault.exe	82
4616	5012	WerFault.exe	82
440	5012	WerFault.exe	82
528	5012	WerFault.exe	82

C:\Users\Admin\AppData\Local\Temp\71dff14ffdc3e09c404c2a55e84430ff.exe
"C:\Users\Admin\AppData\Local\Temp\71dff14ffdc3e09c404c2a55e84430ff.exe"
1⤵
PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 740
  2⤵
  - Program crash
  PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 772
  2⤵
  - Program crash
  PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 772
  2⤵
  - Program crash
  PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 840
  2⤵
  - Program crash
  PID:4704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 904
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 980
  2⤵
  - Program crash
  PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1064
  2⤵
  - Program crash
  PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1436
  2⤵
  - Program crash
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1500
  2⤵
  - Program crash
  PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1744
  2⤵
  - Program crash
  PID:432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1560
  2⤵
  - Program crash
  PID:4616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1732
  2⤵
  - Program crash
  PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1740
  2⤵
  - Program crash
  PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5012 -ip 5012
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5012 -ip 5012
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5012 -ip 5012
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5012 -ip 5012
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5012 -ip 5012
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012
1⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5012 -ip 5012
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5012 -ip 5012
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5012 -ip 5012
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5012 -ip 5012
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5012 -ip 5012
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5012 -ip 5012
1⤵
PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5012-134-0x00000000008B0000-0x00000000008F2000-memory.dmp

Filesize
264KB

Download
memory/5012-135-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download
memory/5012-142-0x0000000000400000-0x00000000006EB000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads