gcleaner | 37530db64361f15936442e2b1f6dbe3920f096d9ca093c1d012825046f053d24

Analysis

max time kernel
75s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5457285bf50fb555f651ddc0fcd19174bcdef1eb6356ea7c5872dc1a5847dd11.exe
Size

342KB
MD5

2e149c2509e751783f67aac9af2e57e5
SHA1

5b7ff80062d98aa091708ef19bf9c141d09ce258
SHA256

5457285bf50fb555f651ddc0fcd19174bcdef1eb6356ea7c5872dc1a5847dd11
SHA512

f7e934850cad3e89c11527656b02a75f812574f5eb61fc09b196c4456b82b14c480fc4f9f96b250c61b0b52c0af94df74549f5d8a4e64734279312206f88ffed
SSDEEP

6144:jf1xE4cT+KOpHMEH5d6SfjUEV+d1Z8G2lpENA4tWe:jzjcT+KKH54S7+3Z/2nSbt

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3300	3052	WerFault.exe	79
3096	3052	WerFault.exe	79
4632	3052	WerFault.exe	79
4296	3052	WerFault.exe	79
4916	3052	WerFault.exe	79
980	3052	WerFault.exe	79
4068	3052	WerFault.exe	79
4508	3052	WerFault.exe	79
5028	3052	WerFault.exe	79
4504	3052	WerFault.exe	79
3768	3052	WerFault.exe	79
4184	3052	WerFault.exe	79

C:\Users\Admin\AppData\Local\Temp\5457285bf50fb555f651ddc0fcd19174bcdef1eb6356ea7c5872dc1a5847dd11.exe
"C:\Users\Admin\AppData\Local\Temp\5457285bf50fb555f651ddc0fcd19174bcdef1eb6356ea7c5872dc1a5847dd11.exe"
1⤵
PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 732
  2⤵
  - Program crash
  PID:3300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 748
  2⤵
  - Program crash
  PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 780
  2⤵
  - Program crash
  PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 812
  2⤵
  - Program crash
  PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 904
  2⤵
  - Program crash
  PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 908
  2⤵
  - Program crash
  PID:980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1016
  2⤵
  - Program crash
  PID:4068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1524
  2⤵
  - Program crash
  PID:4508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1592
  2⤵
  - Program crash
  PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1520
  2⤵
  - Program crash
  PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1600
  2⤵
  - Program crash
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 968
  2⤵
  - Program crash
  PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3052 -ip 3052
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3052 -ip 3052
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3052 -ip 3052
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3052 -ip 3052
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3052 -ip 3052
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3052 -ip 3052
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3052 -ip 3052
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3052 -ip 3052
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3052 -ip 3052
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3052 -ip 3052
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3052 -ip 3052
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3052 -ip 3052
1⤵
PID:4860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-134-0x0000000002400000-0x0000000002442000-memory.dmp

Filesize
264KB

Download
memory/3052-140-0x0000000000400000-0x00000000006B0000-memory.dmp

Filesize
2.7MB

Download
memory/3052-141-0x0000000002400000-0x0000000002442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads