Overview

overview

7

Static

static

3

CCIS/CClea...te.exe

windows7-x64

6

CCIS/CClea...te.exe

windows10-2004-x64

6

CCIS/CClea...er.exe

windows7-x64

6

CCIS/CClea...er.exe

windows10-2004-x64

6

CCIS/CClea...64.exe

windows7-x64

7

CCIS/CClea...64.exe

windows10-2004-x64

7

CCIS/CClea...25.dll

windows7-x64

1

CCIS/CClea...25.dll

windows10-2004-x64

1

CCIS/CClea...26.dll

windows7-x64

1

CCIS/CClea...26.dll

windows10-2004-x64

1

CCIS/CClea...27.dll

windows7-x64

1

CCIS/CClea...27.dll

windows10-2004-x64

1

CCIS/CClea...28.dll

windows7-x64

1

CCIS/CClea...28.dll

windows10-2004-x64

1

CCIS/CClea...29.dll

windows7-x64

1

CCIS/CClea...29.dll

windows10-2004-x64

1

CCIS/CClea...30.dll

windows7-x64

1

CCIS/CClea...30.dll

windows10-2004-x64

1

CCIS/CClea...31.dll

windows7-x64

1

CCIS/CClea...31.dll

windows10-2004-x64

1

CCIS/CClea...32.dll

windows7-x64

1

CCIS/CClea...32.dll

windows10-2004-x64

1

CCIS/CClea...34.dll

windows7-x64

1

CCIS/CClea...34.dll

windows10-2004-x64

1

CCIS/CClea...35.dll

windows7-x64

1

CCIS/CClea...35.dll

windows10-2004-x64

1

CCIS/CClea...36.dll

windows7-x64

1

CCIS/CClea...36.dll

windows10-2004-x64

1

CCIS/CClea...37.dll

windows7-x64

1

CCIS/CClea...37.dll

windows10-2004-x64

1

CCIS/CClea...38.dll

windows7-x64

1

CCIS/CClea...38.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    161s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CCIS/CCleaner/CCleaner64.exe

  • Size

    23.4MB

  • MD5

    99123031f2cefbf6a525f69a5c22e590

  • SHA1

    d7574c8f837bf40ba0e36d2ae1051b3bcaa0e8d6

  • SHA256

    2f6de608047ad892098b1dc368afee0c14d85e20e38835df8c85715660983ad1

  • SHA512

    2334bcd0b0cd501a9dbd56d352c8cdf13c2968e20902356b4792f0dfde62dc39969da03266868d79a858aae284cf8b8c88f5d8cd187721b384486e6defda3e41

  • SSDEEP

    196608:Ub4ZkHPfPHOm13/3Ev3wZ5h82rLZaV/7corqNgmow3QlxA9ORd37:AvHOm1P3EvgZ5hzEV/AorqNHH3fG37

Score
7/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks for any installed AV software in registry 1 TTPs 6 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CCIS\CCleaner\CCleaner64.exe
    "C:\Users\Admin\AppData\Local\Temp\CCIS\CCleaner\CCleaner64.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
    Filesize

    512KB

    MD5

    b72569f81590a51ab7d1dfcc97b7da35

    SHA1

    fa0ecdd955e7370a9428493a92b317c66a8849ae

    SHA256

    1dd37202a2b954fe0b792d4a3ff6e1329c1632749a01c4e3c424d1e471aef2b7

    SHA512

    1db0202f31e049550d38d23b851e7a18e54f4ef5593865bcf96d601e318b23b5339be6bd6de90070707847caffdf2e79b85b9de239eae682c763d6740a5f6db3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
    Filesize

    14.0MB

    MD5

    059c4dd434946a04534f5a99b8bdab6f

    SHA1

    700a31f716e50250d8b5a14f3cd10e167918ee1d

    SHA256

    52b3efebfc3acd9f41e5ab2ae359cf688ddcdfc103df1bfa6db6c0446262d3f6

    SHA512

    a45711547fc56d22735d63d8cc85c2e40aa11f2fdc9bff0b8a608bddb7a4e5af15e393a966eaea13a7f47c0863c8cefeaa6e61e7c902e23abaeeec89fd440581

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
    Filesize

    16KB

    MD5

    ffc2e0580a7b288a056aad001b62882e

    SHA1

    20ca66fbc378f133b649ee8b1f0e5630ffcd00eb

    SHA256

    77974f39d0c999c809280f2fc91c33aa7a85234866c9fd45ca200a72199b0e9f

    SHA512

    1c88615b1464683daa4fb439058bcb8527d0d6b50b4902a6c7033df3f7788d2abfd043d9cca249661dfdbd0d6b8809f0a5eb5fa29f2c8d4c03d8aae86dc82d03

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
    Filesize

    16KB

    MD5

    276571642d9f1d04ede638b4ef8b71fc

    SHA1

    a1526e944477196b73ef623a75c3923c0aceb1f7

    SHA256

    0ad4cf8e29bc2424115ffe7556f0455341942afe0627f55955ef05f9bc51b655

    SHA512

    efbb19ae3cb3f715212123d08616a3b812f45a661d4c449c1e83c175136debb0277b809f3f4bd9dd9911ddac51a970a0cf21bd5a9130389ba22b3483a06f2e17

    Download Submit

  • memory/3344-39-0x0000021634BD0000-0x0000021634BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-41-0x0000021634BE0000-0x0000021634BE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-8-0x00007FFAD9D90000-0x00007FFAD9D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-9-0x00007FFAD7970000-0x00007FFAD7971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-12-0x0000021639ED0000-0x0000021639EE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3344-18-0x0000021639F30000-0x0000021639F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3344-36-0x0000021634B20000-0x0000021634B28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-38-0x0000021634BE0000-0x0000021634BE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-2-0x00007FFAD9D50000-0x00007FFAD9D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-7-0x00007FFAD9DF0000-0x00007FFAD9DF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-44-0x0000021634BD0000-0x0000021634BD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-47-0x00000216423F0000-0x00000216423F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-6-0x00007FFAD9D80000-0x00007FFAD9D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-59-0x0000021634AF0000-0x0000021634AF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-61-0x0000021634C10000-0x0000021634C18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3344-64-0x0000021634AB0000-0x0000021634AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-68-0x00000216423F0000-0x00000216423F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-5-0x00007FFAD9DC0000-0x00007FFAD9DC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-4-0x00007FFAD9D70000-0x00007FFAD9D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-3-0x00007FFAD9D60000-0x00007FFAD9D61000-memory.dmp

    Filesize

    4KB

    Download