b43403c0a91577e2fec68c0213a3222bdfb31badca45a59eaeada026cf8120b9

General

Target

CCleanerPro_Ver.5.57.7182_Chs/CCleaner64.exe
Size

22.0MB
MD5

30745c4f8e82d890fe58d3e5f8c496f3
SHA1

7c1e8e45b7364a81ac184a646908608bbdaaeecb
SHA256

8eeb2d1bf58fe0714ae2e5acb0dd4b7eb1f4227e439fa56c61c8d76f0f3c1c8b
SHA512

9896289c029d571caa648451876514710e0ab73303b18a79172c8fe2289e18302b0a9e065287e21b9f466cad622fd425c57ad7edb68dd1b1fcc42e491adc629d
SSDEEP

196608:KKG+kw+yVU2q/ll7n+Kqps5arqNIVUzjdfNUa1:RGl1silVnpqi5arqNM0jj

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 13 IoCs

Security Software Discovery

T1518.001

Processes:

CCleaner64.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\AVAST Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Avira\Antivirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\KasperskyLab	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

CCleaner64.exe

description ioc process

File opened for modification \??\PhysicalDrive0 CCleaner64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CCleaner64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

CCleaner64.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main CCleaner64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	CCleaner64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

CCleaner64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	CCleaner64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

CCleaner64.exe

pid	process
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe
2288	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CCleaner64.exe

description pid process

Token: SeManageVolumePrivilege 2288 CCleaner64.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

CCleaner64.exe

pid process

2288 CCleaner64.exe
2288 CCleaner64.exe
2288 CCleaner64.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	pid	process
Token: SeManageVolumePrivilege	2288	CCleaner64.exe

C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\CCleaner64.exe
"C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\CCleaner64.exe"
1⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
bbdbdfb3fd4728443c6e5d06151f09ab

SHA1
7f0cc0203085135dbd4b9580ea0320af32e841c3

SHA256
33cbe2a102f8ea2ffba715e107772cc620638b31d1ed7482eb8168faaaa976ba

SHA512
0a05a7fdd043468ba1474a9a026e63c81d76867ffba997bc494ce3b0778d34046318c033f9210012f2e50199c4358b591e5c52e842daf23a229344ed54929a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\ccleaner.ini

Filesize
388B

MD5
abd14da7583a6411086f91cf1973c5fe

SHA1
6bc4e17bddfa4c3e557557320fa54c70f9b185ee

SHA256
cc17ca1cf49b9d58d70c9e6628bc35cf19ae95a63fec3f89c0b13d23de3aa1be

SHA512
d4d641f431f2bef9420c6684dbc641b4d180bdb5a4d9c24b1cc9b189a122a03f021894fea5ef840bd79b6066475b5a1e5d6ea8c923d855c435a87ea67d2d5c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\ccleaner.ini

Filesize
255B

MD5
e8d6312d001eb0b88a45ccf2aef179e4

SHA1
44215039af287cad391e0ef48857f26a39545f3a

SHA256
c4f0cec8d6b05e69b5c6ea0c301eac765ee2f7a94961dc98ee87b86df1b0306c

SHA512
2ab093e61ba21cdca0308ef5a73ea72714a1dadd18d8044ade1f9c70e9737ffcac32e501849d67a0ae23d4f9b1463cc1f14303b9dd2f591e27e47b96ee4b2678

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\ccleaner.ini

Filesize
458B

MD5
ac4e738fc609940f80f82faf73ffea49

SHA1
dc87c8a53d30d9cbd93acaa3770e2546d9acce3a

SHA256
a19c40c28f103d98eecbbc26935e9e94cbdf12e08f65d0f623f3abd452486c1b

SHA512
3ed2d7e11ac48a0575d3d011969516deb2fe266b441c5025c8f0d6a6024cd382ca284eb6e324c2149b7f725790de0bf650e08545a76edf4755983fd134c2100a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\ccleaner.ini

Filesize
492B

MD5
942a65e6f83267594753b7d3e5609833

SHA1
573185bf395644dbd56e6357c4692131597daeb5

SHA256
3728c280cae14014ddaf5cead8d2141324ba4f350f81e21e7b1782fbf6679297

SHA512
ef4693b11d9a2b2a2ac866f62c99133e1a51f58a566d1eb7e236392b138b1e55718245c4527168f3a0915de5d8da214169d6dcfed5a81285f511dfcaff2a90f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCleanerPro_Ver.5.57.7182_Chs\ccleaner.ini

Filesize
280B

MD5
28f89c6b77b5fbedb4b9ec43eb6da269

SHA1
f51dbd8ef1d4111daa52d13a777a35a859b5741b

SHA256
28a4a3b1506e8f52fa575149ee689460e03d4ddf77247a3a89c1348b3784e8d7

SHA512
40beab5c942715afa30639826768ca258c00cefb8e1ea4daec602418b41d6e5f17b6371b3aa2b94edcd0ca099b9bba4d9028e0de6607fb62da377482450333d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDB.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12BB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2288-60-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/2288-91-0x0000000003210000-0x0000000003218000-memory.dmp

Filesize
32KB

Download
memory/2288-23-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2288-22-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2288-21-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2288-68-0x0000000003010000-0x0000000003020000-memory.dmp

Filesize
64KB

Download
memory/2288-20-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2288-24-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2288-94-0x0000000003250000-0x0000000003258000-memory.dmp

Filesize
32KB

Download
memory/2288-96-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2288-101-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2288-19-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2288-18-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2288-17-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2288-16-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2288-451-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads