Analysis
-
max time kernel
68s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20-05-2023 16:53
General
-
Target
CCleaner.Technician.6.12.10490.Portable/App/CCleaner/CCleaner.exe
-
Size
32.7MB
-
MD5
79c9b293cfcf00a925b9c2de29551788
-
SHA1
d9df445c7abb906ef54638865f3faabf2b054b38
-
SHA256
8be625c9d9b17ec6529957221ef1ee951803fae647cf74c46382723b46fb626b
-
SHA512
bfba25f62c480a21ae85911634cdd3c9f17a976bfcaed1130a5c253aa20a4b1612475c5ebb02b23978938979a7b3d393cb0e94592b81e192d1fcbedeead5deef
-
SSDEEP
393216:I0OM+LR8MO0cz36nEy9larq8x2rxrxPCgQ/P9cND0oDtg8XrqNuIpfkl9hSkAePy:78LRFOr3hrD2rtZYHGVFIpg9PgKU
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 11 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Loads dropped DLL 1 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner.exe"2⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5142bfbd3d27c28c128faa05ff0794f38
SHA111ad155dc565c24df344209220e535df30f04e7b
SHA25627df224a20cc374f68ae4f3c2b992eb19382965d2f9ee6af79f0b231a0302026
SHA512fa36812e9a4ef7188d953ea598ce77631a068008da0d61516e9777e52f43a0ca6f40705ff4d05c35914290d6a8dcf20b0a42e26379ec5c6d748e7af3936b8f01
-
Filesize
14.0MB
MD5f88f5bc0be5e959feb95a6bafea8b5eb
SHA10c31075d1214f7000eb2ff0e77030cd390f84ba9
SHA2564e8e839ac6806b2a89a81816546d4730ecc300176f6c067e3c508e9908b237a3
SHA512b2fc883d8e7142781b3d0735640c601242389ffc47bf49ad7752a45c4e2eb7912de55bcc06dd5c3f9f1c6b28b703f7a63fa62fefdb2a111275a51c4c901c09d3
-
Filesize
16KB
MD59167d3580b64618e1901c07eeac703c5
SHA1b2fe8043c7d685b3c7fa48713e638354ff21b1f3
SHA256f44b3e89d41a4c829ab6bd3b16c6e3d2da28c12110a3a0bb02176dd08fdd95db
SHA512def2aedd00c6bc32cd6813a9a254ba29eb23f9798a61c0c984795a06073012aa64f910f562ddbb36dac77cdb14e92ebc20ba1cfcc32e28b03f05b9ee444d1988
-
Filesize
740KB
MD5f17f96322f8741fe86699963a1812897
SHA1a8433cab1deb9c128c745057a809b42110001f55
SHA2568b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb
SHA512f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB