b845ad16d2eee134b7d419762db15818eadc1f4af93e7db66a1df6268dec1678

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCIS/CCleaner/CCUpdate.exe
Size

594KB
MD5

6cd99a46f3aa6585906dd0b0b978e5d5
SHA1

c380fc6abceb56efa7bec92e93895018dce78c2b
SHA256

79ad6586cbcfde247bd97a5ab7ba95a118d009f966fa20a29d4131755fe1000f
SHA512

b429b27f4e4134ce3844706c99e6de29eaf821f72d29c16f5ebc0cdf262cf24d1791a696722812f3665e9fd2fb876a2242e4494e0b7da0340885271f0b96afc2
SSDEEP

12288:PLiXlpkmy90dDRggggMEh0+khbkyh6AsXQUNlKRbE+fTUQdUENi2KhYAOV2F7+/C:uXl+m4gggggM9b/sgUTCfTUQdUoi7hAY

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CCUpdate.ini	CCUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
1380	CCUpdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28
PID 2136 wrote to memory of 1380	2136	CCUpdate.exe	28

C:\Users\Admin\AppData\Local\Temp\CCIS\CCleaner\CCUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\CCIS\CCleaner\CCUpdate.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\CCIS\CCleaner\CCUpdate.exe
  CCUpdate.exe /emupdater /applydll "C:\Users\Admin\AppData\Local\Temp\17b1871e-c166-4645-b57c-c0b065e927c8.dll"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Loads dropped DLL
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17b1871e-c166-4645-b57c-c0b065e927c8.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Users\Admin\AppData\Local\Temp\17b1871e-c166-4645-b57c-c0b065e927c8.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ab7b1e8-d125-496c-ab6e-577d327b8145.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
\Users\Admin\AppData\Local\Temp\17b1871e-c166-4645-b57c-c0b065e927c8.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads