gcleaner | e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
Size

393KB
MD5

7c14e248ff1e22dbabfa8b72b832f47d
SHA1

c01bf3d43e077af34cc6d172cbfa0433d5959124
SHA256

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d
SHA512

b044ac315e72400d589f69ac611efe6bc05702d4f4f4a851e265aa1293f76611bc1bb1bb7cade970647f3c82ac32b93c2b6a78982e348d79dc35c3655af71c32
SSDEEP

6144:I9LGUX0Ui/BNev6OHhRm3nXPgHw78lvQMTPI:oKm0UKBNeNH/m3nr8FQMTP

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2708	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
1692	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
3404	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
2684	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
4684	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
3928	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
4072	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
916	3560	WerFault.exe	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

pid process

3560 e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

pid	process
3560	e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe

C:\Users\Admin\AppData\Local\Temp\e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe
"C:\Users\Admin\AppData\Local\Temp\e089909a96a07f5165856712227e1004ea8d1f2ffedc74b0008fd4c86db4a86d.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 476
2⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 796
2⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 836
2⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 856
2⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 924
2⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1040
2⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1044
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 800
2⤵
- Program crash
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3560 -ip 3560
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3560 -ip 3560
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3560 -ip 3560
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3560 -ip 3560
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3560 -ip 3560
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3560 -ip 3560
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3560 -ip 3560
1⤵
PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3560-1-0x0000000002540000-0x0000000002640000-memory.dmp

Filesize
1024KB

Download
memory/3560-2-0x00000000040B0000-0x00000000040EC000-memory.dmp

Filesize
240KB

Download
memory/3560-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-4-0x0000000000400000-0x000000000237E000-memory.dmp

Filesize
31.5MB

Download
memory/3560-5-0x0000000002540000-0x0000000002640000-memory.dmp

Filesize
1024KB

Download
memory/3560-7-0x00000000040B0000-0x00000000040EC000-memory.dmp

Filesize
240KB

Download
memory/3560-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download