gcleaner | 58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d

Analysis

max time kernel
142s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
Size

246KB
MD5

06da4f2ff17d452e476c792e51ce750b
SHA1

99fc4fa3196a07965823739ca70c5430a7270873
SHA256

58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d
SHA512

f14ee079f165cec97bc7a93807040aceeafc6ecd16016a38c8aa73097bbf1d9cc2c78b8f80c707c8a3ad2ad67f2169858587100d83e02749b97b7332281cce0a
SSDEEP

6144:KV2WyQlHXz2IYDyKsIdQu6go2Kt2vGJvMD:KV2WyQl3mxslu69l2+ZMD

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1000	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
420	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3480	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3140	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3568	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
1208	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
5116	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
3744	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
2264	5036	WerFault.exe	58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe

C:\Users\Admin\AppData\Local\Temp\58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe
"C:\Users\Admin\AppData\Local\Temp\58d0026410046114d7f239f2e82bb26251a6bed96ac98a3d89d3b88e0d67f48d.exe"
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 480
2⤵
- Program crash
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 484
2⤵
- Program crash
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 780
2⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 820
2⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 820
2⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 856
2⤵
- Program crash
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 984
2⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 988
2⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 784
2⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5036 -ip 5036
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5036 -ip 5036
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5036 -ip 5036
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5036 -ip 5036
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5036 -ip 5036
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5036 -ip 5036
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5036 -ip 5036
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036
1⤵
PID:4368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5036-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5036-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-2-0x0000000002150000-0x000000000218C000-memory.dmp

Filesize
240KB

Download
memory/5036-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5036-6-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5036-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download