gcleaner | 0940206b6035dce4d1899cdd7bec4517d09d30c54b0216357d1d3fe61f1178b5

Analysis

max time kernel
103s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2023 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec0d920855372275394954ffa6b07136.exe
Size

382KB
MD5

ec0d920855372275394954ffa6b07136
SHA1

3b3600c956b3fe3de980a8302baebb671b99e956
SHA256

0940206b6035dce4d1899cdd7bec4517d09d30c54b0216357d1d3fe61f1178b5
SHA512

f603d1868acd96352f2b0880e8a771a1a675d40fcb0c2e3d55b0dc8a90f0204953f830f4a45142ccd1a567f8c0395093b68ef8a2907d4f006355450479a63d38
SSDEEP

6144:QMfx/WXf2QEoxczyNNPGacwNMYpJ6ey7:QQeXfUoxcGHP9cwN7ue

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2628	2780	WerFault.exe	82
2492	2780	WerFault.exe	82
1800	2780	WerFault.exe	82
4328	2780	WerFault.exe	82
5016	2780	WerFault.exe	82
1540	2780	WerFault.exe	82
320	2780	WerFault.exe	82
1420	2780	WerFault.exe	82

C:\Users\Admin\AppData\Local\Temp\ec0d920855372275394954ffa6b07136.exe
"C:\Users\Admin\AppData\Local\Temp\ec0d920855372275394954ffa6b07136.exe"
1⤵
PID:2780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 740
  2⤵
  - Program crash
  PID:2628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 784
  2⤵
  - Program crash
  PID:2492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 784
  2⤵
  - Program crash
  PID:1800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 832
  2⤵
  - Program crash
  PID:4328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 904
  2⤵
  - Program crash
  PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 908
  2⤵
  - Program crash
  PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 1060
  2⤵
  - Program crash
  PID:320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 972
  2⤵
  - Program crash
  PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2780 -ip 2780
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2780 -ip 2780
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2780 -ip 2780
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2780 -ip 2780
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2780 -ip 2780
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2780 -ip 2780
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2780 -ip 2780
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2780 -ip 2780
1⤵
PID:3428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-134-0x0000000000890000-0x00000000008D2000-memory.dmp

Filesize
264KB

Download
memory/2780-135-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/2780-137-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads