gcleaner | a3a9ff3c83d0f8d62372e771ce86fce67eda5fa527784894442e92d515e5c69a

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f89dab152f9dd88ade9196f1c36196b9.exe
Size

273KB
MD5

f89dab152f9dd88ade9196f1c36196b9
SHA1

6381fb160544382c0c1d2d38e6d35c38666f1bc2
SHA256

a3a9ff3c83d0f8d62372e771ce86fce67eda5fa527784894442e92d515e5c69a
SHA512

42665a72e76b99ffbaf118040b7a55eb5bab168f94eeb26f4135149fb03359f9b5942f00b35fcb35056695eb978976d4f68b35535f64dac08d1196cffca9b906
SSDEEP

3072:bw9vc6EfH0jiIy9n6mZM3UbahZMDaggjJ6RqTQGNitb07bjZqwuKYc7EcOWwYT+T:ffH0jiI+nJMds6agQTb07RGKA2bN0Qj

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1168	3700	WerFault.exe	81
2036	3700	WerFault.exe	81
4036	3700	WerFault.exe	81
1120	3700	WerFault.exe	81
4540	3700	WerFault.exe	81
224	3700	WerFault.exe	81
964	3700	WerFault.exe	81
3748	3700	WerFault.exe	81
1992	3700	WerFault.exe	81
4944	3700	WerFault.exe	81
2600	3700	WerFault.exe	81
4976	3700	WerFault.exe	81
4496	3700	WerFault.exe	81

C:\Users\Admin\AppData\Local\Temp\f89dab152f9dd88ade9196f1c36196b9.exe
"C:\Users\Admin\AppData\Local\Temp\f89dab152f9dd88ade9196f1c36196b9.exe"
1⤵
PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 740
  2⤵
  - Program crash
  PID:1168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 740
  2⤵
  - Program crash
  PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 740
  2⤵
  - Program crash
  PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 812
  2⤵
  - Program crash
  PID:1120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 904
  2⤵
  - Program crash
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 980
  2⤵
  - Program crash
  PID:224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1004
  2⤵
  - Program crash
  PID:964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1492
  2⤵
  - Program crash
  PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1504
  2⤵
  - Program crash
  PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1776
  2⤵
  - Program crash
  PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1608
  2⤵
  - Program crash
  PID:2600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1596
  2⤵
  - Program crash
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 972
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3700 -ip 3700
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3700 -ip 3700
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3700 -ip 3700
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3700 -ip 3700
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3700 -ip 3700
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3700 -ip 3700
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3700 -ip 3700
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3700 -ip 3700
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3700 -ip 3700
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3700 -ip 3700
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3700 -ip 3700
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3700 -ip 3700
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3700 -ip 3700
1⤵
PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3700-134-0x00000000022F0000-0x0000000002332000-memory.dmp

Filesize
264KB

Download
memory/3700-140-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads