c2b88b7c0e3a630f69c35d3d476a01c38f83fca3efbba10e55188e0264ff56d6

Analysis

max time kernel
203s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.Technician.6.12.10490.Portable/App/CCleaner/CCleaner64.exe
Size

38.6MB
MD5

964d6247907a943b157f46222b9e0081
SHA1

59490157579368cb36206f41f6e6a358ffa8d867
SHA256

6361b1927a8688276f234b01102cc252d1635516ffd2208d9f0c96212bfd0149
SHA512

8c1ed9885f8c9159cc070c75421655f41ff0671d27c424c7e8774eaf9b18a9521a8153b38e0f555a568f5554dbf5bcb379276327c68761a125ae9ef19bf1ebe4
SSDEEP

393216:knsB9c3+rEF/mxhPR+GPJHV9sRSCcRhLlDVrqNXzuIIrl9hSkAePYnh:ksB9cOrFPfZXsRSCcn3IIJ9Pg

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Loads dropped DLL 1 IoCs

pid	Process
1744	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1744	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe
1744	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	CCleaner64.exe
Token: SeShutdownPrivilege	1744	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1744	CCleaner64.exe
Token: SeShutdownPrivilege	1744	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1744	CCleaner64.exe
Token: SeShutdownPrivilege	1744	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1744	CCleaner64.exe
Token: SeShutdownPrivilege	1744	CCleaner64.exe
Token: SeCreatePagefilePrivilege	1744	CCleaner64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	CCleaner64.exe
1744	CCleaner64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\CCleaner64.exe"
1⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Checks system information in the registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
fa6919384db7da3f0d0e6ed682ba4bb9

SHA1
01af7a1020820357ba45a943b7c1310cb67518d9

SHA256
0dbfb2c691ec06d9dccf674381940f4179ddec0af68b02fdb31b0090c910b4f8

SHA512
847a21733362ed743ca6c910aec4ac4b6329e6882525c23813d04aa8a5795ed02fef7860895d18f9e053f409d68be5b7dffa13664df7efdc527713889a283362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
01671539c94ba0a1aee472bd850cc785

SHA1
80baf939d155f46dc90387a6834430230242dcb9

SHA256
02f179fe07ccc7ae5cabc76c7b84ed977dab83d495a0d1384e2db4c2af42576f

SHA512
8e027541f0fd4c44538bc7377e516b0055c6497530c9dce159cdf5f78183c359cabb6c688c26c35b64ec11ba02ec4fed42bc32884802fe3fc7ded8fbc2d483ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
737422d004231ec18e96664c69552b68

SHA1
de3c37cfbb7dbc1e90c4d6799d05c0e244342491

SHA256
73287745b3ea1009cdaf4c44c48427b6f2721e3eaf5699bb6fbc42d10fae24ff

SHA512
abce3607e6ceefe10a3d181f3fc041d8eddaf9587dd8d8f1f509d386c717fef53a291dccc4ca2942af709c2c3d78f52f3b8208e1d0ddfeb7c3f76cdb08acc542

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleaner.Technician.6.12.10490.Portable\App\CCleaner\gcapi_16846092131744.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
memory/1744-175-0x000001E95CD80000-0x000001E95CD88000-memory.dmp

Filesize
32KB

Download
memory/1744-176-0x000001E95CD70000-0x000001E95CD71000-memory.dmp

Filesize
4KB

Download
memory/1744-139-0x00007FFE57C10000-0x00007FFE57C11000-memory.dmp

Filesize
4KB

Download
memory/1744-140-0x00007FFE57090000-0x00007FFE57091000-memory.dmp

Filesize
4KB

Download
memory/1744-137-0x00007FFE57C00000-0x00007FFE57C01000-memory.dmp

Filesize
4KB

Download
memory/1744-149-0x000001E94F5F0000-0x000001E94F600000-memory.dmp

Filesize
64KB

Download
memory/1744-155-0x000001E94F650000-0x000001E94F660000-memory.dmp

Filesize
64KB

Download
memory/1744-173-0x000001E95CEA0000-0x000001E95CEA8000-memory.dmp

Filesize
32KB

Download
memory/1744-133-0x00007FFE57BD0000-0x00007FFE57BD1000-memory.dmp

Filesize
4KB

Download
memory/1744-138-0x00007FFE57C70000-0x00007FFE57C71000-memory.dmp

Filesize
4KB

Download
memory/1744-178-0x000001E95CD80000-0x000001E95CD88000-memory.dmp

Filesize
32KB

Download
memory/1744-181-0x000001E95CD70000-0x000001E95CD78000-memory.dmp

Filesize
32KB

Download
memory/1744-184-0x000001E95CD30000-0x000001E95CD31000-memory.dmp

Filesize
4KB

Download
memory/1744-136-0x00007FFE57C40000-0x00007FFE57C41000-memory.dmp

Filesize
4KB

Download
memory/1744-196-0x000001E95CE20000-0x000001E95CE28000-memory.dmp

Filesize
32KB

Download
memory/1744-198-0x000001E95CE60000-0x000001E95CE68000-memory.dmp

Filesize
32KB

Download
memory/1744-201-0x000001E95CD70000-0x000001E95CD71000-memory.dmp

Filesize
4KB

Download
memory/1744-205-0x000001E95CD30000-0x000001E95CD31000-memory.dmp

Filesize
4KB

Download
memory/1744-135-0x00007FFE57BF0000-0x00007FFE57BF1000-memory.dmp

Filesize
4KB

Download
memory/1744-134-0x00007FFE57BE0000-0x00007FFE57BE1000-memory.dmp

Filesize
4KB

Download