Overview

overview

10

Static

static

3

0eba9622a0...39.exe

windows7-x64

10

0eba9622a0...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0eba9622a0cd406a25342d58bd188b1ca19f39540b30e70d9f3f4a476ec25d39.exe

  • Size

    356KB

  • MD5

    a5b92840029073b54a595eb7d4af481b

  • SHA1

    4237a5320d90c46aabecd1edffeecbec5507113f

  • SHA256

    0eba9622a0cd406a25342d58bd188b1ca19f39540b30e70d9f3f4a476ec25d39

  • SHA512

    a8adee3e78e9c20577b6a189fedad4048cfd08a349618cc44acf13209baab7d2705b05667ad311269c434ba4ac28a7b04582ecb235742093bb05bf1f8540a800

  • SSDEEP

    6144:MUHCLMyXvJxaSfAMPchycgX/D1PZ2Gl7ITsq:MUiTfJxPPF3X/9Z2Gl7

Score
10/10
gcleanerdiscoveryloader

Malware Config

Extracted

Family

gcleaner

C2

45.139.105.171

85.31.46.167

107.182.129.235

171.22.30.106
Attributes
  • url_path

    ....!..../software.php

    ....!..../software.php

Signatures

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eba9622a0cd406a25342d58bd188b1ca19f39540b30e70d9f3f4a476ec25d39.exe
    "C:\Users\Admin\AppData\Local\Temp\0eba9622a0cd406a25342d58bd188b1ca19f39540b30e70d9f3f4a476ec25d39.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 444
      2⤵
      • Program crash
      PID:4104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 764
      2⤵
      • Program crash
      PID:1752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 784
      2⤵
      • Program crash
      PID:1924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 784
      2⤵
      • Program crash
      PID:4360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 836
      2⤵
      • Program crash
      PID:2848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 928
      2⤵
      • Program crash
      PID:3560
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 936
      2⤵
      • Program crash
      PID:2584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 768
      2⤵
      • Program crash
      PID:2420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3024 -ip 3024
    1⤵
      PID:3684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3024 -ip 3024
      1⤵
        PID:1536
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3024 -ip 3024
        1⤵
          PID:2336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3024 -ip 3024
          1⤵
            PID:4624
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3024 -ip 3024
            1⤵
              PID:748
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3024 -ip 3024
              1⤵
                PID:1224
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3024 -ip 3024
                1⤵
                  PID:1824
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3024 -ip 3024
                  1⤵
                    PID:3500

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/3024-1-0x0000000002E60000-0x0000000002F60000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/3024-2-0x0000000002DE0000-0x0000000002E20000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/3024-3-0x0000000000400000-0x0000000000444000-memory.dmp

                    Filesize

                    272KB

                    Download

                  • memory/3024-4-0x0000000002E60000-0x0000000002F60000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/3024-6-0x0000000002DE0000-0x0000000002E20000-memory.dmp

                    Filesize

                    256KB

                    Download

                  • memory/3024-5-0x0000000000400000-0x0000000002C48000-memory.dmp

                    Filesize

                    40.3MB

                    Download

                  • memory/3024-7-0x0000000000400000-0x0000000000444000-memory.dmp

                    Filesize

                    272KB

                    Download