Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

508e67f9f8...e9.exe

windows7-x64

10

508e67f9f8...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    508e67f9f8ecec59538cd61fc6aaf0c25b4194d6dbd8b830f7b5bb2b8adf5ae9.exe

  • Size

    238KB

  • MD5

    d7a8d0ada2565dbc31293ce1d3a59470

  • SHA1

    a7bc1a8f5975a99949e8fa075221183d464c0714

  • SHA256

    508e67f9f8ecec59538cd61fc6aaf0c25b4194d6dbd8b830f7b5bb2b8adf5ae9

  • SHA512

    e3a8a81026551ab2a4383f4cd95099d6efc7d5710c3e996908fe7d87deaf41a51a9fe7bf8af93e9dc71067776e32d4946c6da4926a3fb81969193cebd3f9b752

  • SSDEEP

    3072:nijYQAMaMbfYAgVotVdHEn4b+4WFIyqxmf2HwUFCJijtzJngkZkDI6ocxf8a02:nijF9BlVdkoEFIy5OJzBgkZk8jcxL

Score
10/10
gcleanerloader

Malware Config

Extracted

Family

gcleaner

C2

185.172.128.90

5.42.64.3

5.42.65.115

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Downloads MZ/PE file
  • Program crash 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\508e67f9f8ecec59538cd61fc6aaf0c25b4194d6dbd8b830f7b5bb2b8adf5ae9.exe
    "C:\Users\Admin\AppData\Local\Temp\508e67f9f8ecec59538cd61fc6aaf0c25b4194d6dbd8b830f7b5bb2b8adf5ae9.exe"
    1⤵
      PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 740
        2⤵
        • Program crash
        PID:4752
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 760
        2⤵
        • Program crash
        PID:1176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 788
        2⤵
        • Program crash
        PID:600
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 832
        2⤵
        • Program crash
        PID:4836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 904
        2⤵
        • Program crash
        PID:3976
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 996
        2⤵
        • Program crash
        PID:2644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1072
        2⤵
        • Program crash
        PID:3108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 744
        2⤵
        • Program crash
        PID:456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5080 -ip 5080
      1⤵
        PID:468
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5080 -ip 5080
        1⤵
          PID:3584
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5080 -ip 5080
          1⤵
            PID:2512
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5080 -ip 5080
            1⤵
              PID:5040
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5080 -ip 5080
              1⤵
                PID:3104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5080 -ip 5080
                1⤵
                  PID:2692
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5080 -ip 5080
                  1⤵
                    PID:2316
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5080 -ip 5080
                    1⤵
                      PID:3656

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/5080-1-0x0000000000610000-0x0000000000710000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/5080-2-0x00000000021F0000-0x000000000222C000-memory.dmp

                      Filesize

                      240KB

                      Download

                    • memory/5080-3-0x0000000000400000-0x0000000000485000-memory.dmp

                      Filesize

                      532KB

                      Download

                    • memory/5080-6-0x0000000000610000-0x0000000000710000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/5080-7-0x00000000021F0000-0x000000000222C000-memory.dmp

                      Filesize

                      240KB

                      Download