c2b88b7c0e3a630f69c35d3d476a01c38f83fca3efbba10e55188e0264ff56d6

Analysis

max time kernel
250s
max time network
291s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.Technician.6.12.10490.Portable/App/CCleaner/CCleaner.exe
Size

32.7MB
MD5

79c9b293cfcf00a925b9c2de29551788
SHA1

d9df445c7abb906ef54638865f3faabf2b054b38
SHA256

8be625c9d9b17ec6529957221ef1ee951803fae647cf74c46382723b46fb626b
SHA512

bfba25f62c480a21ae85911634cdd3c9f17a976bfcaed1130a5c253aa20a4b1612475c5ebb02b23978938979a7b3d393cb0e94592b81e192d1fcbedeead5deef
SSDEEP

393216:I0OM+LR8MO0cz36nEy9larq8x2rxrxPCgQ/P9cND0oDtg8XrqNuIpfkl9hSkAePy:78LRFOr3hrD2rtZYHGVFIpg9PgKU

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Loads dropped DLL 1 IoCs

pid	Process
680	CCleaner64.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
680	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe
680	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	CCleaner64.exe
Token: SeManageVolumePrivilege	680	CCleaner64.exe
Token: SeShutdownPrivilege	680	CCleaner64.exe
Token: SeShutdownPrivilege	680	CCleaner64.exe
Token: SeShutdownPrivilege	680	CCleaner64.exe
Token: SeShutdownPrivilege	680	CCleaner64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
680	CCleaner64.exe
680	CCleaner64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 680	1220	CCleaner.exe	28
PID 1220 wrote to memory of 680	1220	CCleaner.exe	28
PID 1220 wrote to memory of 680	1220	CCleaner.exe	28
PID 1220 wrote to memory of 680	1220	CCleaner.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe
  "C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cc62f6b595c8acef5930bf6b32a36e5

SHA1
40d4928588665358ecc25da888eb2b9d697e07d2

SHA256
d71e38bb46c851e88400ce13f0640aba2a89c850eb4bf5dc894c91f0ce6725fa

SHA512
81f84d9495ed77829649416d7bb470aaa9e945644aeb67f9fca1f26032dcafaf08b8ec551e454c25caccfb2a518a43499d394aeedd0d5a376fe7c3e9c97dbc0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
fb3e0611962f03c3d4984c268acd1c97

SHA1
2ce36c77d05389b8f927d52c8cedecc4da6b6337

SHA256
8892a9406a136dbd1af59e1dd4110cceb588475915db9910ff516b66dbd844d8

SHA512
6509b52bceadf617e7d145b7c3986f10ade577b3c001d27abba6bdbf4482ca34bde422ad6f882329fd778f307b0c5242b692ac4de8ff3da3a6daf14403fe6392

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab842E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8531.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\gcapi_1684609286680.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
memory/680-75-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/680-104-0x00000000035E0000-0x00000000035E8000-memory.dmp

Filesize
32KB

Download
memory/680-60-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/680-68-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/680-54-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/680-81-0x0000000003230000-0x0000000003240000-memory.dmp

Filesize
64KB

Download
memory/680-59-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/680-61-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/680-106-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/680-108-0x0000000003620000-0x0000000003628000-memory.dmp

Filesize
32KB

Download
memory/680-110-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/680-115-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/680-58-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/680-57-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/680-56-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/680-55-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download