e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19 | Triage

Submit
Reports

Overview

overview

8

Static

static

CCleaner 6...al.zip

windows7-x64

8

CCleaner 6...al.zip

windows10-2004-x64

8

Resubmissions

18-10-2022 22:20

221018-18773sdhh4 8

03-10-2022 07:47

221003-jmlcradge5 8

Sharing

General

Target

CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip
Size

46.5MB
Sample

221018-18773sdhh4
MD5

c4f6b7208dd86c37e3e914e1355ee128
SHA1

2d6243373836f27a2f90ede02bd1b18c5a72c970
SHA256

e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19
SHA512

afe5a37f46549d727d5ab7ae9ec7e03aa9b9d533f17835ae3bdf0469434f04a9652da6a236caf61a831363b6d3e28058229151d22bb8b36114e6c3f46b00058f
SSDEEP

786432:QW5LbUwZoT0zQjxg84E39DEzvm3FnX3QQ/93ejTn0VdKgjX50W7yaxovZ1H:Q+LM0AxxjEDm1nV980VdKm5le3vZ1H

Score

8^/10

bootkit discovery exploit persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip

Resource

win7-20220812-en

bootkit discovery exploit persistence spyware stealer

windows7-x64

27 signatures

1800 seconds

Behavioral task

behavioral2

Sample

CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip

Resource

win10v2004-20220812-en

bootkit discovery exploit persistence spyware stealer

windows10-2004-x64

27 signatures

1800 seconds

Malware Config

Targets

- Target
  
  CCleaner 6.00.9727 (x64) Professional Edition Multilingual.zip
- Size
  
  46.5MB
- MD5
  
  c4f6b7208dd86c37e3e914e1355ee128
- SHA1
  
  2d6243373836f27a2f90ede02bd1b18c5a72c970
- SHA256
  
  e61e4307479b59fff371109891bea3b99b1a59c35cc6aae6b70eb067fac28a19
- SHA512
  
  afe5a37f46549d727d5ab7ae9ec7e03aa9b9d533f17835ae3bdf0469434f04a9652da6a236caf61a831363b6d3e28058229151d22bb8b36114e6c3f46b00058f
- SSDEEP
  
  786432:QW5LbUwZoT0zQjxg84E39DEzvm3FnX3QQ/93ejTn0VdKgjX50W7yaxovZ1H:Q+LM0AxxjEDm1nV980VdKm5le3vZ1H
Score

8^/10

bootkit discovery exploit persistence spyware stealer
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Hidden Files and Directories

Privilege Escalation

Defense Evasion

File Permissions Modification

Modify Registry

Install Root Certificate

Hidden Files and Directories

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Security Software Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitdiscoveryexploitpersistencespywarestealer

behavioral2

bootkitdiscoveryexploitpersistencespywarestealer

© 2018-2024

Terms | Privacy