c2b88b7c0e3a630f69c35d3d476a01c38f83fca3efbba10e55188e0264ff56d6

Analysis

max time kernel
191s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.Technician.6.12.10490.Portable/CCleanerPortable.exe
Size

83KB
MD5

5aeed26e8407efdba31fc41fbe2014dd
SHA1

d3284d5441d3c5ec9fa50c0aba100ed0d93f5c79
SHA256

c63a1798b3d1884fd9fefda4a4fca2692ac14c56252b8238c55ce2f00edfb5f8
SHA512

df1fda897f5a92cb9569fb9139656fd0f80f4b4f8c430e6fcfa246221cc0810157b3fd5a7772203f969f71471964345420e1635538adee5ee199a0aba1f44e28
SSDEEP

1536:MQpQ5EP0ijnRTXJeTHUAQBKnTu73/Cp1jnFYicR5Ca7S1gU5kE4s:MQIURTXJeTUAQBma73/Cbnr45Ca76gTs

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	CCleanerPortable.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CCleanerPortable.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	CCleanerPortable.exe

Loads dropped DLL 6 IoCs

pid	Process
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
2228	CCleaner64.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
1780	CCleanerPortable.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe
2228	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	CCleaner64.exe
Token: SeShutdownPrivilege	2228	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2228	CCleaner64.exe
Token: SeShutdownPrivilege	2228	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2228	CCleaner64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	CCleaner64.exe
2228	CCleaner64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2228	1780	CCleanerPortable.exe	79
PID 1780 wrote to memory of 2228	1780	CCleanerPortable.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\CCleanerPortable.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\CCleanerPortable.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe
  "C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe"
  2⤵
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.dat

Filesize
88B

MD5
43f3299de6aa858dd915ffc677179355

SHA1
71a74ecfc5f3231fd877b2e5a67cc24f693ac155

SHA256
cc0842e9dc34d6e46f40c3edeb70b6f07ba2419947392f55719651f2b82d0590

SHA512
113527135b79198b72b5fe0b9f59888a45107ed3be84c106cd6103573b8174c94dab55743feb0d76cc46178bab4012856ac1b98d9fc2fc83e0dc915ef5371ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
288B

MD5
ff871fb19594f84d824c46c2e84ad39c

SHA1
acffd305d7075b1b294f614c43bacce8fed4571e

SHA256
6f0fdb404bd0312f4e3d30432a28a62054d37b57d68d087a146f3835ec5e4044

SHA512
fdb3dc6cf7b28a404ec8c5b435e9f9a51fae5c944768ceb5eccfb2b9926e8feb8ab8c6e4df89e397c182cbd5a2f417410809a292103d0b87ea564802637132dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
329B

MD5
51a2e25a508adcb94f09571ebc6bd331

SHA1
20647e82ed914951ad2f3bc95adbdac5c67363e7

SHA256
fccbb597025d748252cee875c44d7da5e03329828f0082bbe3724cca331be21f

SHA512
b0c99890e490d1b06b390a82929567537c2ea72e12d574f50ee06dc0c68a0ae3b43ff52c90392e6e8c9d1eafd54e0ed201f3b8348a8c3cda8a55c62e5b541db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
349B

MD5
601b2cc7ae93fa7f9bd5a1ec19480ebe

SHA1
142d9269bb7f50b221ffa9cb93a08941f23baaaa

SHA256
604c03686afa03b73e6ee3bc549d0cb0741b97674c964490ed2a4fa88055b289

SHA512
9b9901622f1ca2a765ca73c5d1f12ca8433f3ba3dac74de19ff120d8f7d5de8a20eb697e092d531708c1bdae6972f0c322222e0b2b64dcef6d6dbb81f9c86839

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
369B

MD5
f6c53527478ebfb2313872e43dab0b97

SHA1
c59b7828d8cde3b35dada189727712c4ed2d4619

SHA256
a6945ba3d88b32a9401e6b575cda3d626736d532ea1680ba438581163093a08e

SHA512
ed3db80c2c7b107dcb99374395b5c3c7113a528ec9601514459d91fa871b0602bf832c1029b41f486d53edbe96d45121492f7622536cd861aa7293b621658db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
453B

MD5
63f11c2835aa0a34108aeda1ebf816b4

SHA1
03f6a43c8ba120bfca9fce746a63a94375117f9d

SHA256
f0b7b941c532725298295b6970424ea970b7927d3fd3dbec45c90bea77b6f7c2

SHA512
59336aceaa1947d335806642791fb4de876ff39b4b84c6036101366cba32081a5d601305258021cb5c6aad9758b8c6e1d440de20aa6ea43c92e05cd1d5d6f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
467B

MD5
835643b7efccbaf8fa5408f24566139c

SHA1
16611c4dae3ca09ca7115d008f22c44a72fccf84

SHA256
fa0cef9a4cba7a2107862f9da855fd4b28f15f05b7fe2d99b38d86dd073cbf14

SHA512
33fc8c8582eef120867764eb067a247337af3d0ebad438aba50d43f2a7437b16b2f6808988a6dbe3aef619db95778b86f9a88eb6726000a0556bbe5cdcdc442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
493B

MD5
0464e10d13e11fc587a1bafd88f8fbb3

SHA1
59ed5c2f86ac4516ee106de28c633133ff6e5fcf

SHA256
d16a74b0a66e594a68b8a1938f346ec02dbd56f7909268000c401cf9e605cce6

SHA512
899151f34ca60f06e1ad27f1fa60ca8c9584b7ffb5659f42c9dbc4ffcfb19afa4ab2dfe0d14f42cba416235315383ab825a06684ba1567e980df212f2ec5ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.ini

Filesize
527B

MD5
ff3a2e6101db25f72af5d5aab2f4c58d

SHA1
3ca1ca3cd866b0d9a9aa6a67f82585069c866d1f

SHA256
7e327646b7d682888496d75d900b0c4b83d13cab057d54b88d47d7864d336c44

SHA512
6486d497d5efa1edaccdd5add755c0dc8540bf81bb5cd8548758fa49f019ab7c047a0550904a5ba49be6d0bc5dd9081283c02b3d6841a0cf80ba3460026c9f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\ccleaner.ini

Filesize
251B

MD5
1bd61b2f088e00b9206bbaba714644f7

SHA1
a43ea099c6b0a33ed5ab0cd719e442e82de32d67

SHA256
6cd3759b18f11c125a335510c681522a5db8dd1de94d95f7f09337cd7cbb9d6c

SHA512
d414ff517ebb6166c027a2f0beca6de2e2577c9fe5b7c33306e80fc280e7894702e7763c5956b45739b56974663c28068d218e32a0007ce3bc1171797342fe93

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\gcapi_16846093112228.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\CCleanerPortable.ini

Filesize
162B

MD5
537b7fb2d65be538ef78c64d96044245

SHA1
4135a561ed53361e7f11d4ded092451a441aa15d

SHA256
4bbdb369fc03e05b5ac875be166b7fd8277470dc80d21433544625bbf987bb76

SHA512
be8427af669bea0e2eb7930f84cccb38be6d31c41823135b8b63c423c9141f6d115e4b086a579a68ec2b345d7b4dc910fe9298718601c05d846f9659d0cd98a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\FindProcDLL.dll

Filesize
3KB

MD5
75e7351a0f836b8659e6f315683c29f7

SHA1
66b733d1c978d68cadc245e7efbfcae32807429d

SHA256
7ffc549e7f679a08c77fa230654b77cdffb3444296bb7c6b8b5769db374b61ee

SHA512
f03400798b07ccca5e12fa119a586ee9444deb0d2419aced24d93fd84a4702d66864a71b40a11b04b1dbe56e36481cd6a644aec0347bc82bc7375b27bc403fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\System.dll

Filesize
11KB

MD5
a78507ea1078cadaa8b2ec1a2e1d874f

SHA1
77fe20488444ebbaafc5b2c0743251a94edc3b8e

SHA256
93d1e681daebfd24ff9fab3952e8ae94eddbdfb3650937988c1fd8085991610e

SHA512
0399452c7305f23576d4175ec198ad8da8a530215e9304632b20bcb41a38fa0ba2c1c0b0b734b9f887851c92c7f2cf4cdfad403ace84e63318c0694402e1f270

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCC75.tmp\newadvsplash.dll

Filesize
8KB

MD5
7ee14dff57fb6e6c644b318d16768f4c

SHA1
9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce

SHA256
53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7

SHA512
0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2228-196-0x00007FF9E78E0000-0x00007FF9E78E1000-memory.dmp

Filesize
4KB

Download
memory/2228-195-0x00007FF9E8150000-0x00007FF9E8151000-memory.dmp

Filesize
4KB

Download
memory/2228-194-0x00007FF9E81B0000-0x00007FF9E81B1000-memory.dmp

Filesize
4KB

Download
memory/2228-193-0x00007FF9E8140000-0x00007FF9E8141000-memory.dmp

Filesize
4KB

Download
memory/2228-192-0x00007FF9E8180000-0x00007FF9E8181000-memory.dmp

Filesize
4KB

Download
memory/2228-191-0x00007FF9E8130000-0x00007FF9E8131000-memory.dmp

Filesize
4KB

Download
memory/2228-190-0x00007FF9E8120000-0x00007FF9E8121000-memory.dmp

Filesize
4KB

Download
memory/2228-189-0x00007FF9E8110000-0x00007FF9E8111000-memory.dmp

Filesize
4KB

Download