Overview

overview

7

Static

static

1

CCleaner64.exe

windows7-x64

7

CCleaner64.exe

windows10-2004-x64

7

Resubmissions

29-03-2023 00:32

230329-av3sbsea95 7

29-03-2023 00:28

230329-asjxfafg4s 7

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2023 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CCleaner64.exe

  • Size

    37.3MB

  • MD5

    2989ffd5783532fb2d49588c9fc8b1c6

  • SHA1

    d5b87c5402debd0434c02b2366fc2de50f47485e

  • SHA256

    9d4b19b0723b350860614548f2c8342802fc115acff93ef63b580db189e57c2d

  • SHA512

    1e666a6fed67b8aa492c3ca8de023bebb8ea842f4f67512c9876628d0a9f14efa1fce3b1abec32b9833470040dbd94c210a97b9241818fba8cfcdae036d7185a

  • SSDEEP

    393216:Fud5EHypOO1QQsn5FHz8CeoF4c/rqNZ+gIItlxhSEAewYnhO:Fu7EbOC/Homk+gIIzx7Hw

Score
7/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe
    "C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Checks system information in the registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
    Filesize

    512KB

    MD5

    40ee435575dbb0bb0f46915c435c84e6

    SHA1

    e85dc71f335062485329e585813b624cb696e063

    SHA256

    89cb1e510c5ac3d60485b04aa1fe9d183c7eabd410036f2b1e380caf0dadd4b4

    SHA512

    abe65564b326e2859616a1ddb5e5f3c31191abbd8fe94053ebe5f3ffdd9d8c8831e5b397794b9d8da587a13438bab69ce1926a4f57a28853152693cfcc513d46

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
    Filesize

    14.0MB

    MD5

    7b44f7900678d67412ccdcbe9931c13a

    SHA1

    ece0f4532570746f8b52a43ca21e734cc099548a

    SHA256

    79a57aaa8c1fd5b93fadea1f7ade7f9516ba9e0e2b1def8298803f614b538da8

    SHA512

    09637a464c2f2a783d312b4dc101afd3bde85caf92d61790ecd3ce2c32806cbd41c37b303e6e988e01ec1d630eb879b91cec4e0c05e959eca61d31b917e04141

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
    Filesize

    16KB

    MD5

    416bd2598013c2b1c3afc623f6f8453a

    SHA1

    bdbf27b55c5963b4d9d29ee8b864bde942d319e5

    SHA256

    a4c9aa8024bd67e7e548fca15d6dbe22d0441872b528e3f20efdfce0ff167b18

    SHA512

    c27d9b21bda41456a913da49a375b76d6583a579568c75d76c77f4b930a6ffdc067b39f9d3a8dd2e0a7009ff0734655bc02032e1927551b6368cf9a558bf665b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
    Filesize

    16KB

    MD5

    9a8635f87394ab9ebda6aa064fb73167

    SHA1

    b8f8f608d69bab701f350599b24597f258db4a99

    SHA256

    60497925bc5c1613bcbcb44f9e7e2096b56bb067b4bdc37fcbd563fbe8c5389f

    SHA512

    ba4291681e2a252cdfa93971568e169ea5cb679569af639b8dafac31fa814654375183a9a18bb8a3321a8af7f42d92c94b9aba51d53767aabdbb9bf4632c48be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gcapi_16800572111932.dll
    Filesize

    740KB

    MD5

    f17f96322f8741fe86699963a1812897

    SHA1

    a8433cab1deb9c128c745057a809b42110001f55

    SHA256

    8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

    SHA512

    f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • memory/1932-175-0x000001EFFB830000-0x000001EFFB838000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-178-0x000001EFFB830000-0x000001EFFB838000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-139-0x00007FFB29070000-0x00007FFB29071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-147-0x000001EFF32B0000-0x000001EFF32C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1932-153-0x000001EFF3310000-0x000001EFF3320000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1932-173-0x000001EFFB950000-0x000001EFFB958000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-133-0x00007FFB29030000-0x00007FFB29031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-176-0x000001EFFB820000-0x000001EFFB821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-181-0x000001EFFB820000-0x000001EFFB828000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-140-0x00007FFB27A30000-0x00007FFB27A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-184-0x000001EFFB7E0000-0x000001EFFB7E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-138-0x00007FFB290D0000-0x00007FFB290D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-196-0x000001EFFB8D0000-0x000001EFFB8D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-199-0x000001EFFB910000-0x000001EFFB918000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1932-202-0x000001EFFB820000-0x000001EFFB821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-206-0x000001EFFB7E0000-0x000001EFFB7E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-137-0x00007FFB29060000-0x00007FFB29061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-136-0x00007FFB290A0000-0x00007FFB290A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-135-0x00007FFB29050000-0x00007FFB29051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-134-0x00007FFB29040000-0x00007FFB29041000-memory.dmp
    Filesize

    4KB

    Download