Overview

overview

10

Static

static

3

a98ec02535...20.exe

windows7-x64

10

a98ec02535...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-02-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a98ec0253594d14cada3f9c0b0347720.exe

  • Size

    221KB

  • MD5

    a98ec0253594d14cada3f9c0b0347720

  • SHA1

    9f56b49690cdd9308b729d6ba6fa4134c89e61fa

  • SHA256

    92b7baea3245ab0127160bdaec0b6f05901740bd40bb3adc21dcca4d238cf097

  • SHA512

    a05615828bfd009e782f7edb0fa336afc22e5865674ffcb49477a547f9b9eb42df47ee49d0513d075d50348544f0cb5c1c9352928b38d4029d0cd005a373141a

  • SSDEEP

    6144:dvqJpuyzOtLbcloC8ZzleQ7O5YTPQsI5/:dvqJ5zOtLbcCc

Score
10/10
gcleaneronlyloggerloader

Malware Config

Extracted

Family

gcleaner

C2

194.145.227.161

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger
  • OnlyLogger payload 5 IoCs
  • Program crash 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a98ec0253594d14cada3f9c0b0347720.exe
    "C:\Users\Admin\AppData\Local\Temp\a98ec0253594d14cada3f9c0b0347720.exe"
    1⤵
      PID:368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 640
        2⤵
        • Program crash
        PID:3844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 660
        2⤵
        • Program crash
        PID:3292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 764
        2⤵
        • Program crash
        PID:3528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 672
        2⤵
        • Program crash
        PID:3388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 804
        2⤵
        • Program crash
        PID:452
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 752
        2⤵
        • Program crash
        PID:940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1044
        2⤵
        • Program crash
        PID:3392
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1052
        2⤵
        • Program crash
        PID:1976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 1108
        2⤵
        • Program crash
        PID:540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 368 -ip 368
      1⤵
        PID:2460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 368 -ip 368
        1⤵
          PID:1596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 368 -ip 368
          1⤵
            PID:396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 368 -ip 368
            1⤵
              PID:1424
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 368 -ip 368
              1⤵
                PID:2156
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 368 -ip 368
                1⤵
                  PID:2128
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 368 -ip 368
                  1⤵
                    PID:2612
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 368 -ip 368
                    1⤵
                      PID:4648
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 368 -ip 368
                      1⤵
                        PID:2156

                      Network

                      MITRE ATT&CK Matrix

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/368-1-0x0000000002E60000-0x0000000002F60000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/368-2-0x0000000004900000-0x000000000492F000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/368-3-0x0000000000400000-0x0000000002CC7000-memory.dmp

                        Filesize

                        40.8MB

                        Download

                      • memory/368-4-0x0000000000400000-0x0000000002CC7000-memory.dmp

                        Filesize

                        40.8MB

                        Download

                      • memory/368-6-0x0000000002E60000-0x0000000002F60000-memory.dmp

                        Filesize

                        1024KB

                        Download

                      • memory/368-7-0x0000000004900000-0x000000000492F000-memory.dmp

                        Filesize

                        188KB

                        Download