Analysis
-
max time kernel
149s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 00:02
Static task
static1
Behavioral task
behavioral1
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
Resource
win10v20210408
General
-
Target
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe
-
Size
40KB
-
MD5
1e59602b94507836f0fddb82d8c7ac04
-
SHA1
1374bfc9639ae6583e79eb3cbd120a890dc3cb6b
-
SHA256
2eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
-
SHA512
8e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ccleaner.exepid process 1300 ccleaner.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ccleaner.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\120f7699ed5fd0a293b307d4bfc80aa2 = "\"C:\\ProgramData\\ccleaner.exe\" .." ccleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
ccleaner.exedescription pid process Token: SeDebugPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe Token: 33 1300 ccleaner.exe Token: SeIncBasePriorityPrivilege 1300 ccleaner.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.execcleaner.exedescription pid process target process PID 2044 wrote to memory of 1300 2044 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 2044 wrote to memory of 1300 2044 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 2044 wrote to memory of 1300 2044 2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe ccleaner.exe PID 1300 wrote to memory of 824 1300 ccleaner.exe netsh.exe PID 1300 wrote to memory of 824 1300 ccleaner.exe netsh.exe PID 1300 wrote to memory of 824 1300 ccleaner.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"C:\Users\Admin\AppData\Local\Temp\2EB88BA0EC82B9BE5DEF15BFD603EBFB764089EC2B14D.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ccleaner.exe"C:\ProgramData\ccleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\ccleaner.exe" "ccleaner.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
C:\ProgramData\ccleaner.exeMD5
1e59602b94507836f0fddb82d8c7ac04
SHA11374bfc9639ae6583e79eb3cbd120a890dc3cb6b
SHA2562eb88ba0ec82b9be5def15bfd603ebfb764089ec2b14d2272feedc7b34630a01
SHA5128e103f07aad5fc7fc6e1238ebccb450f21d822e3a1eddcf061dd60c9b26eb86023770050fe9ae83f8dd1d31172bcb6208f3742d3d33958dac01481356a2610ed
-
memory/824-66-0x0000000000000000-mapping.dmp
-
memory/824-67-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1300-61-0x0000000000000000-mapping.dmp
-
memory/1300-64-0x000007FEF2C60000-0x000007FEF3CF6000-memory.dmpFilesize
16.6MB
-
memory/1300-65-0x0000000001E20000-0x0000000001E22000-memory.dmpFilesize
8KB
-
memory/2044-59-0x0000000000190000-0x0000000000192000-memory.dmpFilesize
8KB
-
memory/2044-60-0x000007FEF2C60000-0x000007FEF3CF6000-memory.dmpFilesize
16.6MB