Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11/09/2024, 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1b22013a322d2d3f3a050b900c3270466bb519da68e27f6f6afaa9bdc3383c7.exe

  • Size

    433KB

  • MD5

    9cc935239389f22692847a3d233c2878

  • SHA1

    8ea6d552fcec446433ee3b1970ffd8fb7e22db1c

  • SHA256

    d1b22013a322d2d3f3a050b900c3270466bb519da68e27f6f6afaa9bdc3383c7

  • SHA512

    08e484f13d7990f2174d0157496de1f6a4b66fce1620eda42cbc9c09bbd9896ecd0ae36fcbda19f8d3186bc5eb165d03b09ca9b911f2c0c6bf6964f18305300e

  • SSDEEP

    6144:3tDlEnMXd+d0AxFKDunWAgKEt7HecOEwlJkT7g0+HP6B:hlYMXY62KqBgvV+J/h0+Hi

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

80.66.75.114

45.91.200.135

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Program crash 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1b22013a322d2d3f3a050b900c3270466bb519da68e27f6f6afaa9bdc3383c7.exe
    "C:\Users\Admin\AppData\Local\Temp\d1b22013a322d2d3f3a050b900c3270466bb519da68e27f6f6afaa9bdc3383c7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 476
      2⤵
      • Program crash
      PID:1012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 540
      2⤵
      • Program crash
      PID:548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 780
      2⤵
      • Program crash
      PID:4500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 800
      2⤵
      • Program crash
      PID:3124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 800
      2⤵
      • Program crash
      PID:1396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 872
      2⤵
      • Program crash
      PID:2116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 960
      2⤵
      • Program crash
      PID:2880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1072
      2⤵
      • Program crash
      PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 784
      2⤵
      • Program crash
      PID:1760
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
    1⤵
      PID:5628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1528 -ip 1528
      1⤵
        PID:1464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1528 -ip 1528
        1⤵
          PID:3364
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1528 -ip 1528
          1⤵
            PID:3140
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1528 -ip 1528
            1⤵
              PID:2212
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1528 -ip 1528
              1⤵
                PID:1888
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1528 -ip 1528
                1⤵
                  PID:3744
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1528 -ip 1528
                  1⤵
                    PID:2908
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1528 -ip 1528
                    1⤵
                      PID:1032

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1528-1-0x0000000002700000-0x0000000002800000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/1528-2-0x00000000041A0000-0x00000000041DB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1528-3-0x0000000000400000-0x000000000043F000-memory.dmp

                      Filesize

                      252KB

                      Download

                    • memory/1528-6-0x0000000002700000-0x0000000002800000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/1528-8-0x00000000041A0000-0x00000000041DB000-memory.dmp

                      Filesize

                      236KB

                      Download

                    • memory/1528-10-0x0000000000400000-0x000000000043F000-memory.dmp

                      Filesize

                      252KB

                      Download

                    • memory/1528-9-0x0000000000400000-0x0000000002486000-memory.dmp

                      Filesize

                      32.5MB

                      Download