gcleaner | e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
Size

393KB
MD5

7c14e248ff1e22dbabfa8b72b832f47d
SHA1

c01bf3d43e077af34cc6d172cbfa0433d5959124
SHA256

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d
SHA512

b044ac315e72400d589f69ac611efe6bc05702d4f4f4a851e265aa1293f76611bc1bb1bb7cade970647f3c82ac32b93c2b6a78982e348d79dc35c3655af71c32
SSDEEP

6144:I9LGUX0Ui/BNev6OHhRm3nXPgHw78lvQMTPI:oKm0UKBNeNH/m3nr8FQMTP

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
808	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
3928	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
3628	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
5924	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
5940	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
3240	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
2092	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
624	3572	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

pid process

3572 e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

pid	process
3572	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

C:\Users\Admin\AppData\Local\Temp\e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
"C:\Users\Admin\AppData\Local\Temp\e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 416
2⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 764
2⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 784
2⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 820
2⤵
- Program crash
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 796
2⤵
- Program crash
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 928
2⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1004
2⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 768
2⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 3572
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3572 -ip 3572
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3572 -ip 3572
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3572 -ip 3572
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3572 -ip 3572
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3572 -ip 3572
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3572 -ip 3572
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3572 -ip 3572
1⤵
PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3572-1-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/3572-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-3-0x0000000000400000-0x000000000237E000-memory.dmp

Filesize
31.5MB

Download
memory/3572-4-0x0000000000400000-0x000000000237E000-memory.dmp

Filesize
31.5MB

Download
memory/3572-6-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/3572-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download