22e4f72c966d77d30c53ee44964d584aefc4d7247ab5403d558ab24791bda4b8

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner.exe
Size

13.0MB
MD5

3a6159f8c9fe7feac3cc654f0f480102
SHA1

6f1538e24e39411a915077840c42c23cc734159c
SHA256

5fc24a79699229ef15b665209f92b635011eca25f0c7062aab64a87cb668db1a
SHA512

c2495a5661c39b1751cabc92a5b5a2baf0443858e60173761cc208319bed8b8d16c0273c1c7084927067d558d6ccbc56b31a58652579f617d6bc754aa75274b2
SSDEEP

196608:hm2nto8x4sLUnv0w4196WevtKaAmxrqNyzGLA9uB:hBntronvqDGYoxrqNyZu

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4468	CCleaner64.exe
4468	CCleaner64.exe
4468	CCleaner64.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4468	3248	CCleaner.exe	90
PID 3248 wrote to memory of 4468	3248	CCleaner.exe	90

C:\Users\Admin\AppData\Local\Temp\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe
  "C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4468-0-0x00007FFE4B530000-0x00007FFE4B531000-memory.dmp

Filesize
4KB

Download
memory/4468-2-0x00007FFE4B550000-0x00007FFE4B551000-memory.dmp

Filesize
4KB

Download
memory/4468-1-0x00007FFE4B540000-0x00007FFE4B541000-memory.dmp

Filesize
4KB

Download
memory/4468-4-0x00007FFE4B560000-0x00007FFE4B561000-memory.dmp

Filesize
4KB

Download
memory/4468-3-0x00007FFE4B5A0000-0x00007FFE4B5A1000-memory.dmp

Filesize
4KB

Download
memory/4468-6-0x00007FFE4B570000-0x00007FFE4B571000-memory.dmp

Filesize
4KB

Download
memory/4468-5-0x00007FFE4B5D0000-0x00007FFE4B5D1000-memory.dmp

Filesize
4KB

Download
memory/4468-7-0x00007FFE490A0000-0x00007FFE490A1000-memory.dmp

Filesize
4KB

Download