c2b88b7c0e3a630f69c35d3d476a01c38f83fca3efbba10e55188e0264ff56d6

Analysis

max time kernel
134s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-05-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.Technician.6.12.10490.Portable/CCleanerPortable.exe
Size

83KB
MD5

5aeed26e8407efdba31fc41fbe2014dd
SHA1

d3284d5441d3c5ec9fa50c0aba100ed0d93f5c79
SHA256

c63a1798b3d1884fd9fefda4a4fca2692ac14c56252b8238c55ce2f00edfb5f8
SHA512

df1fda897f5a92cb9569fb9139656fd0f80f4b4f8c430e6fcfa246221cc0810157b3fd5a7772203f969f71471964345420e1635538adee5ee199a0aba1f44e28
SSDEEP

1536:MQpQ5EP0ijnRTXJeTHUAQBKnTu73/Cp1jnFYicR5Ca7S1gU5kE4s:MQIURTXJeTUAQBma73/Cbnr45Ca76gTs

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	CCleanerPortable.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	CCleanerPortable.exe

Loads dropped DLL 6 IoCs

pid	Process
1048	CCleanerPortable.exe
1048	CCleanerPortable.exe
1048	CCleanerPortable.exe
1048	CCleanerPortable.exe
1048	CCleanerPortable.exe
800	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1048	CCleanerPortable.exe
1048	CCleanerPortable.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe
800	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	CCleaner64.exe
Token: SeShutdownPrivilege	800	CCleaner64.exe
Token: SeShutdownPrivilege	800	CCleaner64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
800	CCleaner64.exe
800	CCleaner64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 800	1048	CCleanerPortable.exe	27
PID 1048 wrote to memory of 800	1048	CCleanerPortable.exe	27
PID 1048 wrote to memory of 800	1048	CCleanerPortable.exe	27
PID 1048 wrote to memory of 800	1048	CCleanerPortable.exe	27

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\CCleanerPortable.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\CCleanerPortable.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe
  "C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe"
  2⤵
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.dat

Filesize
88B

MD5
43f3299de6aa858dd915ffc677179355

SHA1
71a74ecfc5f3231fd877b2e5a67cc24f693ac155

SHA256
cc0842e9dc34d6e46f40c3edeb70b6f07ba2419947392f55719651f2b82d0590

SHA512
113527135b79198b72b5fe0b9f59888a45107ed3be84c106cd6103573b8174c94dab55743feb0d76cc46178bab4012856ac1b98d9fc2fc83e0dc915ef5371ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
216B

MD5
578932cc31e1ed1f688f5909408a4ce1

SHA1
4cd2f1c7f22ca476011eb50e7c5699b203423aac

SHA256
c9726f4a1a3a5f66b564f1bcf74432e907fd7c14244be47912261ff2fe50f56b

SHA512
a0193a662cce643edacd378262803198d4d47c9a3ce1a60d84fa837c12f8335639a791d01c8302897a71cfd5250ede0c7f535b0f43f81f4f5332abf4aba6b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
329B

MD5
14a034a12f5e2c8722233ef6c802c85f

SHA1
5aec627a1439d7f7887b37b667ff23b9f5a96c99

SHA256
628e7547f12d22ff52862e23e3e71066d196926991be1f37d7f9a7731b313cd7

SHA512
7120ba25dec5ce4236dd385a64a4105f18d9af6dcebb719d8dc5766f259cd97f5ffcc9c2911f9d854a901196ec8fe1b85d11eb705ff96bcfe9a5a84c3c5efa58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
349B

MD5
65764557ecf2430e7338e57796268eca

SHA1
856ccef05b6a7c600254e17f967ef76fc8e6da59

SHA256
bba4c8511e2752df1787aca2435ba0c83ef2ea9a179abfecf5473496f806de62

SHA512
acaab155263224dd644887bc86a851c45eb908891fab19bcef8be4eb4cd79f84de3ac7d862523db01fc8c67ac801af29e452d3c007eeb25ff6f99249f7a79056

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
369B

MD5
d69e4cdf19a3d9e2f059c36845e9f2f2

SHA1
4cfdea4add11122761c0be742cb4048a096ed3bc

SHA256
c3f28a127eda13b59a665306646382a470c5ccff36646361e54baaa37da3bc77

SHA512
d2fdd1026796358cd2a4ab23db4a69f5df39d6c0271dde472d78107951ca10ae13f0e672e8791ac6ea3532ed2f89cf659efb86789ccbd74037dd0d9377d0af4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
453B

MD5
4ba02cc77c09168fa71b9541a02e05a9

SHA1
7a4cf0d995ea5d3c893c533c8f37a3780abe8ad5

SHA256
78676d1846111ed46846244370cfca824c884a850ec46b5efc42d5297e6b3ae3

SHA512
143fe5032205bfd00349f68eb7c318313d3e1b13bb78a14e8bc1a93e829c9af10dc2a79fc006c2fa4df5e1d70768cda262e1a3de2b4ec93c212fd6db99a54fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
467B

MD5
a1413a02457dbc04f5c28a15d798881a

SHA1
2d017be1b325cc57e1fc5c60ce26dbb0ba8ae1cc

SHA256
19b50711490796468c5330d8d8e958fedea41c18a744d9648666677c6952433c

SHA512
8c34dd48239cdd474e8e7bbc53ed6fcdc40c4f014939bfce2a624f13207ec7e93b310ba97fdaca37660b9a222a719c3ee241d7875f9e5c31d1c127f5a0634a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
493B

MD5
63380830c99cb1f02ed696e2ab0a119e

SHA1
0b62057665c0df4cc0ab88fb7960d92e0b1f7814

SHA256
1cb97496aa7fd47da94df91b6d6cfbd156b78c2de207d7cd60195e93ea0cad0f

SHA512
7911f8f862ecc8e6700583efbb7a3799fa31a3dd6b82a9d4f7aa94ccd4afc18697fc576245067c49d163e0239db6959223db9e7e130ce3938d7d32b760d305fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
584B

MD5
afb911b147956481739b58f4f72bcf74

SHA1
ca34be0e7d491b24a4c511b8805f1788bacb144b

SHA256
f53def4f252f9129a3894d62e35411be869cf85a78f16cf9c4609b31afb77a5c

SHA512
4d46548f00909ba0d78b29abb5ca25242917537e467996fd28efe1215a5ddaa615354ca22296fd73c0fbb5f912939769494288a34146720bbcc6e8e0666e25fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
584B

MD5
98d8839001e511e3a193474f3f02ccc1

SHA1
e2bf63ee641cbf987660e168bf4e76efd5d29eda

SHA256
9bf9d76fbaf1a2c4fd13a881298b3fd2e8c6bcb3bd0a15cd5d9d9c3e003ad5d4

SHA512
fa7550d5de7e785565ea7a25bcb8b62ddff64cb13c5550b80222bf2e81d5f786c2445d234400a0beb4f310e1b78f8b325d276d30c822e625d7c745d8beb5c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\ccleaner.ini

Filesize
216B

MD5
578932cc31e1ed1f688f5909408a4ce1

SHA1
4cd2f1c7f22ca476011eb50e7c5699b203423aac

SHA256
c9726f4a1a3a5f66b564f1bcf74432e907fd7c14244be47912261ff2fe50f56b

SHA512
a0193a662cce643edacd378262803198d4d47c9a3ce1a60d84fa837c12f8335639a791d01c8302897a71cfd5250ede0c7f535b0f43f81f4f5332abf4aba6b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE91.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC195.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso7504.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\gcapi_1684601943800.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
\Users\Admin\AppData\Local\Temp\nso7504.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nso7504.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
\Users\Admin\AppData\Local\Temp\nso7504.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nso7504.tmp\System.dll

Filesize
11KB

MD5
a78507ea1078cadaa8b2ec1a2e1d874f

SHA1
77fe20488444ebbaafc5b2c0743251a94edc3b8e

SHA256
93d1e681daebfd24ff9fab3952e8ae94eddbdfb3650937988c1fd8085991610e

SHA512
0399452c7305f23576d4175ec198ad8da8a530215e9304632b20bcb41a38fa0ba2c1c0b0b734b9f887851c92c7f2cf4cdfad403ace84e63318c0694402e1f270

Download Submit
\Users\Admin\AppData\Local\Temp\nso7504.tmp\newadvsplash.dll

Filesize
8KB

MD5
7ee14dff57fb6e6c644b318d16768f4c

SHA1
9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce

SHA256
53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7

SHA512
0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

Download Submit
memory/800-113-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/800-114-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/800-112-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/800-111-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/800-110-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/800-162-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/800-115-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/800-116-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/800-117-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/800-354-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download