gcleaner | 2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd

Analysis

max time kernel
141s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
Size

246KB
MD5

f17cb34bfd02d4a1b5d4f466827e4ae3
SHA1

77f70b7f039effe13a78333f0649aad019d5950a
SHA256

2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd
SHA512

af9e7cfc209352f6021dd6a0f8c9fda7b37ab0af2fbf7fb08ecda1648db9709bcd02c0fbe9d2246d16cb7b432cfc27e6d808f9940ff648f63131532db6d65a9a
SSDEEP

3072:1I5tu+QhwdmXIgq9uRNvuQjM+bV+HkcvBOL+sw6mi3K6ATYOCeO5RsNvXQQOUygP:1Iq+Qi6I79+JVM+JXuRi3KXWj5nQO

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4964	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
1604	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
4428	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
2740	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
1932	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
2816	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
1152	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
4584	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
892	4052	WerFault.exe	2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe

C:\Users\Admin\AppData\Local\Temp\2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe
"C:\Users\Admin\AppData\Local\Temp\2dc8d72e6eb3d6f198ad5a857c45186e60dc78f73e25676965946635fa3e3ccd.exe"
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 476
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 520
2⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 780
2⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 824
2⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 840
2⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 804
2⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 984
2⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1072
2⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 784
2⤵
- Program crash
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4052 -ip 4052
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4052 -ip 4052
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4052 -ip 4052
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4052 -ip 4052
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4052 -ip 4052
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4052 -ip 4052
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4052 -ip 4052
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4052 -ip 4052
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4052 -ip 4052
1⤵
PID:4824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4052-1-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/4052-2-0x0000000002150000-0x000000000218C000-memory.dmp

Filesize
240KB

Download
memory/4052-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4052-5-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/4052-7-0x0000000002150000-0x000000000218C000-memory.dmp

Filesize
240KB

Download
memory/4052-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download