gcleaner | 2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104.exe
Size

399KB
MD5

974798340a0c7e4177fd06f9485bb967
SHA1

3973df541b407a24f638584da516274511014410
SHA256

2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104
SHA512

43bdc7e42e3fc59f038dfd4cae4b41fec220bf35efd1e23b3b4ba3ce133cdcb1d04cce3dc112d04498c9c3005ce55dab3109b9d25bbcce121474a1290ef487d3
SSDEEP

6144:eALDH0gWkpn9+xFYfXD1E5eoadSwZtkulrm0y:eAfH0Qn9Smf5EFRwZ/80

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2732	3856	WerFault.exe	89
3712	3856	WerFault.exe	89
2388	3856	WerFault.exe	89
2080	3856	WerFault.exe	89
4012	3856	WerFault.exe	89
60	3856	WerFault.exe	89
3752	3856	WerFault.exe	89
3140	3856	WerFault.exe	89

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3856	2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104.exe

C:\Users\Admin\AppData\Local\Temp\2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104.exe
"C:\Users\Admin\AppData\Local\Temp\2d74b4f3064f10a1709c5ff44529c0ba2383691a3c4d8e3cd7b831d719044104.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 456
  2⤵
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 768
  2⤵
  - Program crash
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 788
  2⤵
  - Program crash
  PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 768
  2⤵
  - Program crash
  PID:2080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 788
  2⤵
  - Program crash
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 812
  2⤵
  - Program crash
  PID:60
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 812
  2⤵
  - Program crash
  PID:3752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1240
  2⤵
  - Program crash
  PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3856 -ip 3856
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3856 -ip 3856
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3856 -ip 3856
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3856 -ip 3856
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3856 -ip 3856
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3856 -ip 3856
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3856 -ip 3856
1⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3856 -ip 3856
1⤵
PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-2-0x0000000003850000-0x000000000388C000-memory.dmp

Filesize
240KB

Download
memory/3856-1-0x0000000001E60000-0x0000000001F60000-memory.dmp

Filesize
1024KB

Download
memory/3856-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-5-0x0000000000400000-0x0000000001BDF000-memory.dmp

Filesize
23.9MB

Download
memory/3856-8-0x0000000003850000-0x000000000388C000-memory.dmp

Filesize
240KB

Download
memory/3856-7-0x0000000001E60000-0x0000000001F60000-memory.dmp

Filesize
1024KB

Download
memory/3856-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads