c1b9b1cf79fe82dc05c78d722eb15b11838825289785917ab040e53933b937f0

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCClearSophos.exe
Size

776KB
MD5

64734f8bad63f2bc9dd152eb1acec48b
SHA1

573233bd4b4efd3e915a7173252840676783838e
SHA256

cf663da5d2062f50e14fcce76903a0bc3de65e5722c41f31f62d09b9d592b5cc
SHA512

87049d5c4da7c90503115fd22fc669e8d9a866174653419608bf5277edeec632fe42617adb14d244c3518e1d455660e4f63209d26725cc5cff65fb1c7d821fa1
SSDEEP

12288:iBtcyc6rLxfTcWTqu7NqDzVOZCeRlG4WFJQjsEqPrCxUBkTl6mqOZWYrsN3:Cg6rLxYWinUZCeRlG4WXTCxUBkVqv7

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCClearSophos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcreg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCAutoUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcReg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	pcReg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2840	PCClearSophos.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2840	PCClearSophos.exe
2840	PCClearSophos.exe
2616	pcreg.exe
2616	pcreg.exe
2560	PCAutoUpdate.exe
2560	PCAutoUpdate.exe
2352	pcReg.exe
2352	pcReg.exe
2352	pcReg.exe
2352	pcReg.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2616	2840	PCClearSophos.exe	30
PID 2840 wrote to memory of 2616	2840	PCClearSophos.exe	30
PID 2840 wrote to memory of 2616	2840	PCClearSophos.exe	30
PID 2840 wrote to memory of 2616	2840	PCClearSophos.exe	30
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2560	2840	PCClearSophos.exe	31
PID 2840 wrote to memory of 2352	2840	PCClearSophos.exe	32
PID 2840 wrote to memory of 2352	2840	PCClearSophos.exe	32
PID 2840 wrote to memory of 2352	2840	PCClearSophos.exe	32
PID 2840 wrote to memory of 2352	2840	PCClearSophos.exe	32

C:\Users\Admin\AppData\Local\Temp\PCClearSophos.exe
"C:\Users\Admin\AppData\Local\Temp\PCClearSophos.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\etc\pcreg.exe
  C:\Users\Admin\AppData\Local\Temp\etc\pcreg.exe /avscanpro /chk
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\PCAutoUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PCAutoUpdate.exe" /b
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\etc\pcReg.exe
  "C:\Users\Admin\AppData\Local\Temp\etc\pcReg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\btn_scan.bmp

Filesize
40KB

MD5
0c2de151b643be722228572406bf836c

SHA1
3970c76db99ebfaf595b1c095bbb04931ad17f38

SHA256
e7052c3629df41700d3e3c334fe400bea224553acf605211ea3ebbc8f362162f

SHA512
69da7749568e2ff9db9073f78c8632229ae1416bca090e6dd71e5144e47a7b334d2135868e6a22ef37d7d4457ca5bfadfd8dfaa47ca4d4d51be316b862109e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\HorizontalScrollBarLeftArrow.bmp

Filesize
728B

MD5
cce234a253b22709eeff1eb27627eb70

SHA1
9617f5523a1f0b1b439b689be38197e86a22c04f

SHA256
d35ba5bdfc8d4ab4dc1a92c436e29cd30ab66fd63fe970783daab7b177da9156

SHA512
f5fa6ec560e5090c5c90dd184de256dcdd3c27369e987d77027a40bc04e30070dc885dc2168beba01b6cc60f60e18b400655e400b24bbad1144fd8cb24f4d51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\HorizontalScrollBarRightArrow.bmp

Filesize
728B

MD5
4b836f7ce1d00463de54cf6e41ea6f85

SHA1
d20223209db0fecb8b79808f2130d103172b77bf

SHA256
5d2a7d9dac987fae6c0d3e2716c5dce8cc06e0e8ba63d974a71c5c26e718cc30

SHA512
6dc99fb85febe6eb61699890401dcbf680aac339d85e421fa4fef695fa0e03173a011b67de3e3a6b6af30f45a475fc18b4845d992641c1e35bf268fea116317e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\HorizontalScrollBarSpan.bmp

Filesize
840B

MD5
ad9ed7eb38f1be915ee8dde928ee5507

SHA1
7d093c2037fbe2f2bf49a516aa499c0358ebda2f

SHA256
f27d2b11e462dec99d1feb1255c5af76f7f5627153008d64f0f354897d1d240a

SHA512
cacb5ca60557ce72bc953cc869628a47e67026991fed021bbf29e31fc8c1ff94ca057324f83f9ae7a8884ece5f3eea9d1b0d53536550d7bd2870f0de578221a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\HorizontalScrollBarThumb.bmp

Filesize
840B

MD5
b3df2057f35ff9bb6ce4e00ddc7e9faa

SHA1
cc31aa8e17eb99aa6017dd4da428b8529e9c0a95

SHA256
2fa4097cf3e6f92362264c7e463144b992e8ec1c25b97a94217782a2938c231d

SHA512
1133a4a9a3546cc273b3757bb999d9ff18bb46c9d38ade4ac5a940d2fa72cb20ca00409ca3a17a1ed19a23ca32f4dd04c360c209400ae8b6dcd422ee3a36e3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\VerticleScrollBarDownArrow.bmp

Filesize
672B

MD5
87d9e9736eaeba05f5fa309f2c96a152

SHA1
e3c6ca90deb3a0f082ec640552f28153854ece9a

SHA256
c31e2c6efb7f32c0d9f525291acd7fe2ab5612c64f9b0bb6efd3f7819e8573d2

SHA512
305e5394dd3a1b5f74914dcce8417e12a7906a341a3c65a21975a8e9a0b8a06a79c7ce84df53f955e4f96f58eb594bdab54078785bc9d185225e8d30fbfb9550

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\VerticleScrollBarSpan.bmp

Filesize
276B

MD5
e811c204c42e03e0349f9a6ef6f56df7

SHA1
f49b3f3f8fd85961ff5b81366b0075d672000a08

SHA256
40cb66ca15c55dae3ef084c3693d1d173fd849d1fa1809635f1ece3cff4ed934

SHA512
d52023793f2637becc402736c9b77c87a777bc0adb5bc0de7f2db136ee4b64317b70f9f437d0b031822c4ff056b6ef7cee7b1485ffa62eadb305117cc8613c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\VerticleScrollBarThumb.bmp

Filesize
848B

MD5
8bac23ed8ad19acbf115336a29e08fcb

SHA1
291433de1a0b349f334579d9cf3fc90275daed1d

SHA256
8ff6355af6466c1ced23e38593e015061354d3cb915d3c7b58477968b9e14264

SHA512
d44f0a51c9dc345308fc5b2e4442ee2bfda15b6efc87cdee9ec2b9fb5c614115f9a74a6a62211e96dc221aa2aab75ce5919b9541151acc4b05a2c7a4bde02f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\VerticleScrollBarUpArrow.bmp

Filesize
716B

MD5
3e8d74634f6a1f21103ecdb340b73821

SHA1
865b3eec97c1b1a2260fa9ec68583f2006a5b12a

SHA256
19b26a8d5e2d3a988cf87a5cb182d18ee960691650269935c84e1841e3a91fe2

SHA512
d99a92d9ea7d9a60f07e506f4ebbabb807fe87284931abab00875827207ba64476d4773ceb3243f5346f6e6348aafdb12e6e3ac15c63a675a290e6ab873a353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\list_control\VerticleScrollbarBottom.bmp

Filesize
672B

MD5
893198a29458f9697dab732a40e93bba

SHA1
49a72ca331af9b3f04d68f9f4b408b619d435196

SHA256
46a609fb484cb0dd96ba17941baf155e192c0117954f38ac0a847c2c32bd9c63

SHA512
3da020cdc1dfcff95d1ddeda1f5facf4fa7184646aa7d4f6c75ce09207d743b4455e3024ec1a888f2daa8cc5f992b80bd86e17eda7998181ab8a08cbbdef3e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\pop_result2_bg.bmp

Filesize
172KB

MD5
9f6e6d95244ec36eb83f8d21cc3b31b0

SHA1
31e1811aa28a0c4c66fffb21e8701a5374c7da30

SHA256
d570311fa2c2dd57ec35281bc496b25f34e9363d2bd9eb73f661f28c436dcc62

SHA512
347064ecaa0afb06ffeb1235c42fad4978565cf1b404c9a5bf806029d43142f737f27587ceccbf0608e45c28b49b0ff429f37c5a541e537f8d956812615cfce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCClear Sophos\service_title.bmp

Filesize
33KB

MD5
8c56e93aaded0f5bc2b49d8ba3b75b9b

SHA1
5044f24b68839f018d0ff97a828b54fa521f6af9

SHA256
8af385a50e7cb71c27b149476a1b4a3d9d14e577499b79ccc3baa3def25ef547

SHA512
0411a274ee4ba10fc20fa0be598e533f0d0fb8c00a03a25e53bd266dd798004a95146312c213a7f08b6d1e2c10d91e4141b356dd0b5d254f0a934c018f5b8dbf

Download Submit