gcleaner | 2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
Size

246KB
MD5

f17cb34bfd02d4a1b5d4f466827e4ae3
SHA1

77f70b7f039effe13a78333f0649aad019d5950a
SHA256

2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd
SHA512

af9e7cfc209352f6021dd6a0f8c9fda7b37ab0af2fbf7fb08ecda1648db9709bcd02c0fbe9d2246d16cb7b432cfc27e6d808f9940ff648f63131532db6d65a9a
SSDEEP

3072:1I5tu+QhwdmXIgq9uRNvuQjM+bV+HkcvBOL+sw6mi3K6ATYOCeO5RsNvXQQOUygP:1Iq+Qi6I79+JVM+JXuRi3KXWj5nQO

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4164	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
232	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
1984	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
4388	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
4964	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
64	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
832	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
2008	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
2360	5088	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe

C:\Users\Admin\AppData\Local\Temp\2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
"C:\Users\Admin\AppData\Local\Temp\2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe"
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 452
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 476
2⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 748
2⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 748
2⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 800
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 824
2⤵
- Program crash
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 912
2⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 916
2⤵
- Program crash
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 752
2⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5088 -ip 5088
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5088 -ip 5088
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5088 -ip 5088
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5088 -ip 5088
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5088 -ip 5088
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5088 -ip 5088
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5088 -ip 5088
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088
1⤵
PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5088-1-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/5088-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-2-0x00000000006B0000-0x00000000006EC000-memory.dmp

Filesize
240KB

Download
memory/5088-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5088-6-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/5088-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download