Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5e5b371c5e...0f.exe

windows7-x64

10

5e5b371c5e...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 23:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe

  • Size

    368KB

  • MD5

    b0ea93be2b97136c752ef5bdfd040eac

  • SHA1

    660a07b3ba4d36fe24dc86488938d4b36de6645a

  • SHA256

    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f

  • SHA512

    6ca1a87997de85fd232068a998808c1390510fc13a7e17bf347b6cd63c5b6c883fc1f2b596f52ea6340ef340762125ae9ebe8cfde87a8ec63f2dd3e8db5635fb

  • SSDEEP

    3072:zXhaNBXoA7E5/GbfQlmhkIB4iZnXk+EOSpvMfBwJ3D1fAyQyjZ1QSv+8lYoU0RM:roBXoQE5Dhr0nUfOAMW5D1fAUQSKX

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

208.67.104.97

85.31.46.167

107.182.129.235

171.22.30.106

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
    "C:\Users\Admin\AppData\Local\Temp\5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 456
      2⤵
      • Program crash
      PID:3976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 768
      2⤵
      • Program crash
      PID:3604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 808
      2⤵
      • Program crash
      PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 848
      2⤵
      • Program crash
      PID:3608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 768
      2⤵
      • Program crash
      PID:1188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 928
      2⤵
      • Program crash
      PID:3520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 932
      2⤵
      • Program crash
      PID:4856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 324 -s 772
      2⤵
      • Program crash
      PID:2956
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 324 -ip 324
    1⤵
      PID:2980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 324 -ip 324
      1⤵
        PID:3968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 324 -ip 324
        1⤵
          PID:2044
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 324 -ip 324
          1⤵
            PID:1028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 324 -ip 324
            1⤵
              PID:4344
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 324 -ip 324
              1⤵
                PID:8
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 324 -ip 324
                1⤵
                  PID:3048
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 324 -ip 324
                  1⤵
                    PID:3352

                  Network

                  • flag-us
                    DNS
                    8.8.8.8.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    8.8.8.8.in-addr.arpa
                    IN PTR
                    Response
                    8.8.8.8.in-addr.arpa
                    IN PTR
                    dnsgoogle
                  • flag-us
                    DNS
                    13.86.106.20.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    13.86.106.20.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    172.214.232.199.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    172.214.232.199.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    95.221.229.192.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    95.221.229.192.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    140.32.126.40.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    140.32.126.40.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    104.219.191.52.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    104.219.191.52.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    212.20.149.52.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    212.20.149.52.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    198.187.3.20.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    198.187.3.20.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    182.129.81.91.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    182.129.81.91.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    21.49.80.91.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    21.49.80.91.in-addr.arpa
                    IN PTR
                    Response
                  • flag-us
                    DNS
                    13.227.111.52.in-addr.arpa
                    Remote address:
                    8.8.8.8:53
                    Request
                    13.227.111.52.in-addr.arpa
                    IN PTR
                    Response
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 208.67.104.97:80
                    5e5b371c5e0c637ae119d80c65425ddfd79db7e87e539b46db93ec916a988d0f.exe
                    260 B
                     5
                  • 8.8.8.8:53
                    8.8.8.8.in-addr.arpa
                    dns
                    66 B
                     90 B
                     1
                    1

                    DNS Request

                    8.8.8.8.in-addr.arpa

                  • 8.8.8.8:53
                    13.86.106.20.in-addr.arpa
                    dns
                    71 B
                     157 B
                     1
                    1

                    DNS Request

                    13.86.106.20.in-addr.arpa

                  • 8.8.8.8:53
                    172.214.232.199.in-addr.arpa
                    dns
                    74 B
                     128 B
                     1
                    1

                    DNS Request

                    172.214.232.199.in-addr.arpa

                  • 8.8.8.8:53
                    95.221.229.192.in-addr.arpa
                    dns
                    73 B
                     144 B
                     1
                    1

                    DNS Request

                    95.221.229.192.in-addr.arpa

                  • 8.8.8.8:53
                    140.32.126.40.in-addr.arpa
                    dns
                    72 B
                     158 B
                     1
                    1

                    DNS Request

                    140.32.126.40.in-addr.arpa

                  • 8.8.8.8:53
                    104.219.191.52.in-addr.arpa
                    dns
                    73 B
                     147 B
                     1
                    1

                    DNS Request

                    104.219.191.52.in-addr.arpa

                  • 8.8.8.8:53
                    212.20.149.52.in-addr.arpa
                    dns
                    72 B
                     146 B
                     1
                    1

                    DNS Request

                    212.20.149.52.in-addr.arpa

                  • 8.8.8.8:53
                    198.187.3.20.in-addr.arpa
                    dns
                    71 B
                     157 B
                     1
                    1

                    DNS Request

                    198.187.3.20.in-addr.arpa

                  • 8.8.8.8:53
                    182.129.81.91.in-addr.arpa
                    dns
                    72 B
                     147 B
                     1
                    1

                    DNS Request

                    182.129.81.91.in-addr.arpa

                  • 8.8.8.8:53
                    21.49.80.91.in-addr.arpa
                    dns
                    70 B
                     145 B
                     1
                    1

                    DNS Request

                    21.49.80.91.in-addr.arpa

                  • 8.8.8.8:53
                    13.227.111.52.in-addr.arpa
                    dns
                    72 B
                     158 B
                     1
                    1

                    DNS Request

                    13.227.111.52.in-addr.arpa

                  • 8.8.8.8:53

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/324-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/324-2-0x0000000004900000-0x0000000004942000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/324-3-0x0000000000400000-0x0000000000445000-memory.dmp

                    Filesize

                    276KB

                    Download

                  • memory/324-4-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/324-5-0x0000000000400000-0x0000000002BA5000-memory.dmp

                    Filesize

                    39.6MB

                    Download

                  • memory/324-6-0x0000000004900000-0x0000000004942000-memory.dmp

                    Filesize

                    264KB

                    Download

                  • memory/324-7-0x0000000000400000-0x0000000000445000-memory.dmp

                    Filesize

                    276KB

                    Download

                  We care about your privacy.

                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.