Overview

overview

10

Static

static

Cleaner.exe

windows7_x64

10

Cleaner.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cleaner.exe

  • Size

    2.7MB

  • Sample

    220420-xsw84aggbj

  • MD5

    1c88f4417a627bd565b7e152574de7ba

  • SHA1

    315fd6599725e69c3560f0781d644e16339c1b94

  • SHA256

    258cd579a69f5349baf093c6ced69a131293e566a6fb150971fc7b8810f749b3

  • SHA512

    c53093be74c9993a8806b1d8da8d1a662b434911bda546e5d8c863d7b5203b76b883bbff6dc7d1adfdb3fa44e56119e9edc71bd60e795e7bc86d3b1ab4fd3da4

Score
10/10
discoveryevasionexploit

Malware Config

Targets

    • Target

      Cleaner.exe

    • Size

      2.7MB

    • MD5

      1c88f4417a627bd565b7e152574de7ba

    • SHA1

      315fd6599725e69c3560f0781d644e16339c1b94

    • SHA256

      258cd579a69f5349baf093c6ced69a131293e566a6fb150971fc7b8810f749b3

    • SHA512

      c53093be74c9993a8806b1d8da8d1a662b434911bda546e5d8c863d7b5203b76b883bbff6dc7d1adfdb3fa44e56119e9edc71bd60e795e7bc86d3b1ab4fd3da4

    Score
    10/10
    discoveryevasionexploit

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Stops running service(s)

      evasion

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks