gcleaner | 58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
Size

246KB
MD5

06da4f2ff17d452e476c792e51ce750b
SHA1

99fc4fa3196a07965823739ca70c5430a7270873
SHA256

58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d
SHA512

f14ee079f165cec97bc7a93807040aceeafc6ecd16016a38c8aa73097bbf1d9cc2c78b8f80c707c8a3ad2ad67f2169858587100d83e02749b97b7332281cce0a
SSDEEP

6144:KV2WyQlHXz2IYDyKsIdQu6go2Kt2vGJvMD:KV2WyQl3mxslu69l2+ZMD

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4220	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
5020	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
1584	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
524	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
1944	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3132	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
2608	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
536	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3236	2508	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe

C:\Users\Admin\AppData\Local\Temp\58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
"C:\Users\Admin\AppData\Local\Temp\58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe"
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 460
2⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 492
2⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 748
2⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 768
2⤵
- Program crash
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 808
2⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 840
2⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 912
2⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 988
2⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 752
2⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2508 -ip 2508
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2508 -ip 2508
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2508 -ip 2508
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2508 -ip 2508
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2508 -ip 2508
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2508 -ip 2508
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2508 -ip 2508
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2508 -ip 2508
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2508 -ip 2508
1⤵
PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-1-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/2508-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-2-0x00000000006B0000-0x00000000006EC000-memory.dmp

Filesize
240KB

Download
memory/2508-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2508-6-0x0000000000780000-0x0000000000880000-memory.dmp

Filesize
1024KB

Download
memory/2508-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download