33ffc220033c7f50c7aa2e00796f62e9e84843972272381546fbe5d8e758e389

Analysis

max time kernel
134s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29/06/2024, 17:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccleaner_browser_setup (1).exe
Size

5.4MB
MD5

01ec413c8459cb62678be1541afa4084
SHA1

4b0669f357d2acd535a3a4e7ee9b83b7b2d966fa
SHA256

33ffc220033c7f50c7aa2e00796f62e9e84843972272381546fbe5d8e758e389
SHA512

c0056d90b34244ae55a5267180d983cfd5a2f08a65f183184d80aef9536a9a5ed3f431a6d457708258852e36c1509f9ae917d922e485f60357b0e7c72dd6c7cc
SSDEEP

98304:aFhCVHsZ2GQtEqlQO4H7nKcZI0GSk7PKzuI90uMv3ILYVxzpxRA3hmw3RyzJKuud:scsZoXlQO4bn18PpIC3SYVxzFA3hmMRH

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	ccleaner_browser_setup (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	aj6EF9.exe

Executes dropped EXE 1 IoCs

pid	Process
236	aj6EF9.exe

Loads dropped DLL 14 IoCs

pid	Process
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj6EF9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\AVAST Software\Avast	aj6EF9.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	ccleaner_browser_setup (1).exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\AVAST Software\Avast	ccleaner_browser_setup (1).exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj6EF9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6EF9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6EF9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
236	aj6EF9.exe
236	aj6EF9.exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
236	aj6EF9.exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe
3640	ccleaner_browser_setup (1).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3640	ccleaner_browser_setup (1).exe
236	aj6EF9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 236	3640	ccleaner_browser_setup (1).exe	73
PID 3640 wrote to memory of 236	3640	ccleaner_browser_setup (1).exe	73
PID 3640 wrote to memory of 236	3640	ccleaner_browser_setup (1).exe	73

C:\Users\Admin\AppData\Local\Temp\ccleaner_browser_setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\ccleaner_browser_setup (1).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\aj6EF9.exe
  "C:\Users\Admin\AppData\Local\Temp\aj6EF9.exe" /relaunch=8 /was_elevated=1 /tagdata
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aj6EF9.exe

Filesize
5.4MB

MD5
05972d8d259b2611318c3f2da86cf558

SHA1
0ca937365780cb3d21c712a66275afd12666e74f

SHA256
e927c2261fb3e3fb30cb340cbdfe8de23599667beadad5b9043d60c5a4bcb979

SHA512
d12a51c4ef98ebe33a60c0228fbafd70bd20cd6faf1b6c32fdad3bd25cc08a18ea7586dfada09c1b624b91bbd4b8a28fa8a3a1a89b5a2a66746727e13cb8b5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccleaner-browser-web-tags

Filesize
40B

MD5
eafb3d2a355e2ca8285dc085363f85b4

SHA1
3cc99ecfb3e95f5fc420ea80c43224ef1379502c

SHA256
161b7794187c74f2fe0976552bc6a23a54d8bc0ea121af4dd95a0399229de5e5

SHA512
e1ad4b45eac563f7f61aeed00868791ada2572052f833cd2f2fa5c140c4132ec05d64cbefefd4536b7f83d62406b602b858c1bd61b712708fda08d4adf1d2941

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw709E.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw709E.tmp\FF.places.tmp

Filesize
5.0MB

MD5
d7d681193eeb9c3a7373bf8fa70d1989

SHA1
d3b69aaa1b33877695e2c00d09df30157f9a62c8

SHA256
7a71b7a8eb6615e8d00e1f5d5752981781b05c9a9f6f979034871f9585889ea2

SHA512
d6be6922db9341496aa186e06bc57326741d940cf26d62e661a53c1f697ee7d33aed7331e583523ad336181627d500020894df4e1901e24b10f4102f62a9738d

Download Submit
\Users\Admin\AppData\Local\Temp\nsn6709.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
6090bd09b765115dbf8dc4a1abc74f9f

SHA1
5c0e83cb0c28bed937d4631df091bdc9a22c517f

SHA256
9187b575e8545d20848ae7fdba3a2d8b486c25e1791498f391a7138bef71df4f

SHA512
17200b952661f355d5ffbaf265897748d1764fd30626b42ac301f5ff8988e58df2f06cb6620d6b5a97cafaa99dd10a4be83e828247ad8eea153d0bb632ef78d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsn6709.tmp\StdUtils.dll

Filesize
195KB

MD5
12ac127b39158e113f0c4706f0c79789

SHA1
ec366d1f249fc992f1996bf9a4cc2415c76d8bcf

SHA256
f00f64c9116b359184eaf9dcc36d780f7ac87f9568992d7f2644d12476457599

SHA512
386f8ca5b1e186d166dc2a7bafc734e49e0d69a41421bfd641916d26531b5f7728f4a7f50c481075a708dd3c38db815163dd7ae03b9651d8bbd797c2238b7fd2

Download Submit
\Users\Admin\AppData\Local\Temp\nsn6709.tmp\jsis.dll

Filesize
127KB

MD5
9c5bfca91c74478122bd493271e7467a

SHA1
663b25f0c50cfac5ae35f77465f33fb2ca57c961

SHA256
bb85cd31b83ce192fef588e417c4749e83fee19723c814eaf00594c37e75c2c6

SHA512
cf0a2e7cebc406d08d1872e088b3bd110c388430f26def44d1fc40d4222b63a5cc3a5824061a96e5b85dbaaaab58305f69a3b70308d12658fca60cb5c5434bdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsn6709.tmp\nsJSON.dll

Filesize
36KB

MD5
c80631ed154254fcf2d362e532119ab5

SHA1
14104226258dc5b3fc88fd815547c01b1cec2735

SHA256
73698082634a7052fccd9e6ab20a0e9179a4421071e10c0ad53591dfc9ea24aa

SHA512
3d37acefe015e72c82d2e38f155df2a28f84728a5819b518bb3a5b083a6dcee9e227ca423711dd79b5eb9caa34ac6d34bc7d26de3571f0e5ed566d3818e545e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsn6709.tmp\thirdparty.dll

Filesize
93KB

MD5
e0b4e00b83f48e73892f84314291dfed

SHA1
9a12059794afc2e6a8024774d21912a5f510c787

SHA256
5da4ceecf1d0336e9b7fc1ccba2c5a76ac94cb6e6df49b94a8a7dcb5c48b506c

SHA512
9c8c2f5c43f65e2650ebb48ff21d69552cc0fbebafb03e1e232e2c1b9ba1a5fc0c5f5b2703a76d1601bd9cd70a125ec5b6d7a1c3ae685d488fc767961b0e6142

Download Submit
\Users\Admin\AppData\Local\Temp\nsw709E.tmp\Midex.dll

Filesize
126KB

MD5
9c3678d423b7cfc308c1857e5f93ede7

SHA1
d0b384ba07a52aeba957b2bd171da3dc0de2a6bb

SHA256
c87fcd7ea8669ba4a5cfca83ddaee610260be721d6fba19e537f1c706b7295ca

SHA512
27e5832aa51e867a8c32330521ac4d71f4c3d2bfd5ced0aa45dc2fcd42870fa5645abbbed29ac369ef0a73eb64b30a573ee74502c672b80cea29e911e98d54f3

Download Submit
\Users\Admin\AppData\Local\Temp\{2597BDBA-A6D6-45CB-B1B5-4BC81E08E7DA}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit