Overview

overview

10

Static

static

3

5e5b371c5e...0f.exe

windows7-x64

10

5e5b371c5e...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe

  • Size

    368KB

  • MD5

    b0ea93be2b97136c752ef5bdfd040eac

  • SHA1

    660a07b3ba4d36fe24dc86488938d4b36de6645a

  • SHA256

    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f

  • SHA512

    6ca1a87997de85fd232068a998808c1390510fc13a7e17bf347b6cd63c5b6c883fc1f2b596f52ea6340ef340762125ae9ebe8cfde87a8ec63f2dd3e8db5635fb

  • SSDEEP

    3072:zXhaNBXoA7E5/GbfQlmhkIB4iZnXk+EOSpvMfBwJ3D1fAyQyjZ1QSv+8lYoU0RM:roBXoQE5Dhr0nUfOAMW5D1fAUQSKX

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

208.67.104.97

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
    "C:\Users\Admin\AppData\Local\Temp\5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 456
      2⤵
      • Program crash
      PID:3976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 768
      2⤵
      • Program crash
      PID:3604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 808
      2⤵
      • Program crash
      PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 848
      2⤵
      • Program crash
      PID:3608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 768
      2⤵
      • Program crash
      PID:1188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 928
      2⤵
      • Program crash
      PID:3520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 932
      2⤵
      • Program crash
      PID:4856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 772
      2⤵
      • Program crash
      PID:2956
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 324 -ip 324
    1⤵
      PID:2980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 324 -ip 324
      1⤵
        PID:3968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 324 -ip 324
        1⤵
          PID:2044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 324 -ip 324
          1⤵
            PID:1028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 324 -ip 324
            1⤵
              PID:4344
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 324 -ip 324
              1⤵
                PID:8
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 324
                1⤵
                  PID:3048
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 324 -ip 324
                  1⤵
                    PID:3352

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/324-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/324-2-0x0000000004900000-0x0000000004942000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/324-3-0x0000000000400000-0x0000000000445000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/324-4-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/324-5-0x0000000000400000-0x0000000002BA5000-memory.dmp

                    Filesize

                    39.6MB

                    Download

                  • memory/324-6-0x0000000004900000-0x0000000004942000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/324-7-0x0000000000400000-0x0000000000445000-memory.dmp

                    Filesize

                    276KB

                    Download