Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

CCleaner.v6.10.10347.exe
Size

32MB
Sample

230328-ge685shb65
MD5

9a09391b4b56f5536ebd631ec9a70467
SHA1

b5b4029e10893e2fa4427e19cc1b8c5be3127a32
SHA256

f607e4e0cc1d39352854e171efe277e691b01ccc0a15820b72a12de4aace6a4c
SHA512

535b887500ad83ef366560392334757fd44b78c272d22b7933b7b7bfe23a2cf88190e299008420dfbe5c03968ac5de91b65895ed009400fc74ce7d67908528b7
SSDEEP

786432:3NwaTjX+cS77nNiO2CCSHVt2lOwwCcovp9dOD:hTjOcSXNSS1slGoC

Score

8^/10

Malware Config

Targets

- Target
  
  CCleaner.v6.10.10347.exe
- Size
  
  32MB
- MD5
  
  9a09391b4b56f5536ebd631ec9a70467
- SHA1
  
  b5b4029e10893e2fa4427e19cc1b8c5be3127a32
- SHA256
  
  f607e4e0cc1d39352854e171efe277e691b01ccc0a15820b72a12de4aace6a4c
- SHA512
  
  535b887500ad83ef366560392334757fd44b78c272d22b7933b7b7bfe23a2cf88190e299008420dfbe5c03968ac5de91b65895ed009400fc74ce7d67908528b7
- SSDEEP
  
  786432:3NwaTjX+cS77nNiO2CCSHVt2lOwwCcovp9dOD:hTjOcSXNSS1slGoC
Score

8^/10

discovery adware bootkit persistence spyware stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

T1005

Command and Control

Credential Access

Credentials in Files

T1081

Defense Evasion

Web Service

T1102

Modify Registry

T1112

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Command-Line Interface

T1059

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Browser Extensions

T1176

Privilege Escalation

Tasks

Sharing

General

Malware Config

Targets

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Registers COM server for autorun

Checks for any installed AV software in registry

Checks installed software on the system

Enumerates connected drives

Installs/modifies Browser Helper Object

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Checks system information in the registry

Drops file in System32 directory

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2