gcleaner | c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
Size

403KB
MD5

a043cba1e4fdcdc53ba0af5579fea8a2
SHA1

6c3ade51b33b58d4ae9080ff8db95f7fcc8b633b
SHA256

c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662
SHA512

8f98162afc394aacc970ee777fbd26389d49d9416bafc6be0ab5ad8e6f385994a80a8eff50fe37fb2af364f33811900f8faffe61c53e8d2d9638cf6c7bd170d2
SSDEEP

6144:BvLL2YV8V+/p7BCNlGEtt1oRtvWoEQMTP:tv2YqV+/p7BavEvWpQMT

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3596	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
428	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
2920	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
3176	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
4492	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
4216	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
4504	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
436	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
5088	2508	WerFault.exe	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe

pid process

2508 c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe

pid	process
2508	c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe

C:\Users\Admin\AppData\Local\Temp\c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe
"C:\Users\Admin\AppData\Local\Temp\c6ff6934e6fb0aa123b5f3cd3fa94c630b3aa3695f5efdd4a6238aee5c7d3662.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 476
2⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 764
2⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 784
2⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 816
2⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 764
2⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 944
2⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1004
2⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1108
2⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 768
2⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2508 -ip 2508
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2508 -ip 2508
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2508 -ip 2508
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2508 -ip 2508
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2508 -ip 2508
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2508 -ip 2508
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2508 -ip 2508
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2508 -ip 2508
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2508 -ip 2508
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-1-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/2508-2-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-3-0x0000000000400000-0x0000000002381000-memory.dmp

Filesize
31.5MB

Download
memory/2508-4-0x0000000000400000-0x0000000002381000-memory.dmp

Filesize
31.5MB

Download
memory/2508-5-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/2508-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download