gcleaner | 8bb5695bb99898e58cf2b36c6d55db0c9c03eeb55446e5f753d46849a46fc7a8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 06:57

Target

6217f4509db69c7d318daba0d6bead10N.exe
Size

2.0MB
MD5

6217f4509db69c7d318daba0d6bead10
SHA1

571e4b4d6c7dd22a31e942b8946dda9e3167d1b7
SHA256

8bb5695bb99898e58cf2b36c6d55db0c9c03eeb55446e5f753d46849a46fc7a8
SHA512

845008b8b16d8462f1dbd37705ba10e67739b9445e5f8e9be9102d9d04720c1f1189a8095a38694932810036c3b9cae628d8dc7fd2fe3eda4aa896ebd1165089
SSDEEP

24576:NwpsFArBggSk/nDH8KfGPBcOHfe12/wgTMZ7zK27pIvGmvcH7jxL4Oj2Qwxl7b:NweGBggSk/z8mw7zQZ62lSG/jxsj7b

Score

10^/10

gcleaner loader

Family

gcleaner

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Executes dropped EXE 1 IoCs

pid	Process
2736	hcxE9.exe

Loads dropped DLL 1 IoCs

pid	Process
2892	6217f4509db69c7d318daba0d6bead10N.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2892	6217f4509db69c7d318daba0d6bead10N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2736	2892	6217f4509db69c7d318daba0d6bead10N.exe	30
PID 2892 wrote to memory of 2736	2892	6217f4509db69c7d318daba0d6bead10N.exe	30
PID 2892 wrote to memory of 2736	2892	6217f4509db69c7d318daba0d6bead10N.exe	30
PID 2892 wrote to memory of 2736	2892	6217f4509db69c7d318daba0d6bead10N.exe	30

C:\Users\Admin\AppData\Local\Temp\6217f4509db69c7d318daba0d6bead10N.exe
"C:\Users\Admin\AppData\Local\Temp\6217f4509db69c7d318daba0d6bead10N.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\hcxE9.exe
  2⤵
  - Executes dropped EXE
  PID:2736

\Users\Admin\AppData\Roaming\{846ee340-7039-11de-9d20-806e6f6e6963}\hcxE9.exe

Filesize
72KB

MD5
3fb36cb0b7172e5298d2992d42984d06

SHA1
439827777df4a337cbb9fa4a4640d0d3fa1738b7

SHA256
27ae813ceff8aa56e9fa68c8e50bb1c6c4a01636015eac4bd8bf444afb7020d6

SHA512
6b39cb32d77200209a25080ac92bc71b1f468e2946b651023793f3585ee6034adc70924dbd751cf4a51b5e71377854f1ab43c2dd287d4837e7b544ff886f470c

Download Submit
memory/2892-0-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/2892-1-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/2892-2-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download
memory/2892-8-0x0000000000400000-0x00000000013F4000-memory.dmp

Filesize
16.0MB

Download