22e4f72c966d77d30c53ee44964d584aefc4d7247ab5403d558ab24791bda4b8

General

Target

CCleaner.exe
Size

13.0MB
MD5

3a6159f8c9fe7feac3cc654f0f480102
SHA1

6f1538e24e39411a915077840c42c23cc734159c
SHA256

5fc24a79699229ef15b665209f92b635011eca25f0c7062aab64a87cb668db1a
SHA512

c2495a5661c39b1751cabc92a5b5a2baf0443858e60173761cc208319bed8b8d16c0273c1c7084927067d558d6ccbc56b31a58652579f617d6bc754aa75274b2
SSDEEP

196608:hm2nto8x4sLUnv0w4196WevtKaAmxrqNyzGLA9uB:hBntronvqDGYoxrqNyZu

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe
1724	CCleaner64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1724	1716	CCleaner.exe	28
PID 1716 wrote to memory of 1724	1716	CCleaner.exe	28
PID 1716 wrote to memory of 1724	1716	CCleaner.exe	28
PID 1716 wrote to memory of 1724	1716	CCleaner.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe
  "C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

Software Discovery

1

T1518

Security Software Discovery

1

T1518.001

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-0-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1724-5-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1724-7-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1724-8-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1724-45-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads