c2b88b7c0e3a630f69c35d3d476a01c38f83fca3efbba10e55188e0264ff56d6

Analysis

max time kernel
262s
max time network
287s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-05-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.Technician.6.12.10490.Portable/App/CCleaner/CCleaner64.exe
Size

38.6MB
MD5

964d6247907a943b157f46222b9e0081
SHA1

59490157579368cb36206f41f6e6a358ffa8d867
SHA256

6361b1927a8688276f234b01102cc252d1635516ffd2208d9f0c96212bfd0149
SHA512

8c1ed9885f8c9159cc070c75421655f41ff0671d27c424c7e8774eaf9b18a9521a8153b38e0f555a568f5554dbf5bcb379276327c68761a125ae9ef19bf1ebe4
SSDEEP

393216:knsB9c3+rEF/mxhPR+GPJHV9sRSCcRhLlDVrqNXzuIIrl9hSkAePYnh:ksB9cOrFPfZXsRSCcn3IIJ9Pg

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1924	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe
1924	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	CCleaner64.exe
Token: SeManageVolumePrivilege	1924	CCleaner64.exe
Token: SeShutdownPrivilege	1924	CCleaner64.exe
Token: SeShutdownPrivilege	1924	CCleaner64.exe
Token: SeShutdownPrivilege	1924	CCleaner64.exe
Token: SeShutdownPrivilege	1924	CCleaner64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1924	CCleaner64.exe
1924	CCleaner64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe"
1⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ba08b651f91c3e7eb77e2a9bf5e6d2f

SHA1
a048430d9510c733dd7be6a85aa9267560775790

SHA256
2110eadf05b26b53eb7fb3a7fc8163d9c12d23d1e6018b6793f2ab86d1e86796

SHA512
e9ba38d50292ae8c30a6c9fff67bb388febcd0d2589a89c4ada7c00931dd8a786c1722309d88bd7a85c121118479e3e553528d7c8ecdbdcad84fbce063a95944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
0b24cbd391ede46239dee953bfd3b1a0

SHA1
a0bc12e533292a355c1be567fe2d2ca453292bc0

SHA256
111b0915068b71af99cc989c93c16e8a1651ba1893ba3ffae77c7ea059f36ea6

SHA512
245e7957969b30a1ab7fe28aa62498e579f43dcb4e90b30a00f68202ab179fb5cb504ec880154534eb82c069ea7ceb2f252156353ee11e1bd8082c818ee38f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab565D.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar576D.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\gcapi_16846092821924.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
memory/1924-71-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1924-101-0x0000000003690000-0x0000000003698000-memory.dmp

Filesize
32KB

Download
memory/1924-68-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1924-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1924-72-0x0000000003370000-0x0000000003380000-memory.dmp

Filesize
64KB

Download
memory/1924-78-0x00000000034E0000-0x00000000034F0000-memory.dmp

Filesize
64KB

Download
memory/1924-60-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1924-61-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1924-104-0x00000000036D0000-0x00000000036D8000-memory.dmp

Filesize
32KB

Download
memory/1924-106-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1924-111-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1924-59-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1924-58-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1924-57-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1924-56-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1924-55-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download