Analysis
-
max time kernel
33s -
max time network
38s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
06-09-2024 08:11
General
-
Target
clean_master_1_1.exe
-
Size
30.1MB
-
MD5
34faad3658a42658d7a28c24ecdd10f8
-
SHA1
74f9173e1071c81699e8a1591f521d780f239806
-
SHA256
86f81420a4d17a143137ebcd3e3defd9cb94a827855fc4eb744843675bd11407
-
SHA512
e1675053dc27520510506c5bbb6ade19a8d7902b72290429e3d6c8e74fb70343d1d991204277dc15effc4349e87f7cd9423dc6e144c75639b6246afd7c128294
-
SSDEEP
786432:OOMP8iOl4PorpGngFGg50OlPA5ClDfD/5oakWaa+csPWBKl:O30iq4PotQgFhaAPA54D/qzrauWBKl
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Drops file in Drivers directory 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\clean_master_1_1.exe"C:\Users\Admin\AppData\Local\Temp\clean_master_1_1.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\cmcm\Clean Master\cmtray.exe"c:\program files (x86)\cmcm\Clean Master\cmtray.exe" /newinstalldlg2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\cmcm\Clean Master\kmenureg.exe"c:\program files (x86)\cmcm\Clean Master\kmenureg.exe" /install /path:menuplugin\pdfprintmenu.msix /name:cmpdfprintmenu3⤵
- Executes dropped EXE
-
-
\??\c:\program files (x86)\cmcm\Clean Master\kmenureg.exe"c:\program files (x86)\cmcm\Clean Master\kmenureg.exe" /install /path:menuplugin\pdfcvtmenu.msix /name:cmpdfcvtmenu3⤵
- Executes dropped EXE
-
-
-
\??\c:\program files (x86)\cmcm\Clean Master\cmtray.exe"c:\program files (x86)\cmcm\Clean Master\cmtray.exe" /src:92⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
\??\c:\program files (x86)\cmcm\Clean Master\cmcore.exe"c:\program files (x86)\cmcm\Clean Master\cmcore.exe" /service cmcore1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD5f730d5bfc4e962c66307beec8f57e7e8
SHA17f18751f39a14a4c0555949ecd7338a15a3fc7a7
SHA2563d3f578d35d146249e22feab445d6541dd5473698e426a52eab5a3e441958790
SHA5124b881c3d03963e28aa46c39da2c5a14bcee51ed016602b88881707bb7901419abd157db1f056d0ebcfccc7eab63c337a910868ee15e5317dea2847ffb62590fc
-
Filesize
168KB
MD514ff4198a0ef8f0d903089907c2ede88
SHA145399f0de2136cf78bc31e578f97eb8b1099a3d4
SHA256d1c21dac8803754fa945b8647bb71c06312943f41f43a27fac9bf28f859127c2
SHA512d00c4fb5d6c7b82dae9e70064236ec898da367c9b885d0fbbd0873c2c30fb5598d34cddf69d1f05841c3657ba65d8bc1f84ffd14da19066ce9302619e4eb5a71
-
Filesize
1.6MB
MD58437ae742bdee7f4cfd624d9a587b06a
SHA1e81cef8d4d814bb28266ec8a82492651081aa6cb
SHA256d4a141002a7db7f6061f0c38ee900c40a890e6ec503c8d77f5e27bb465d3b2eb
SHA512172ed3a35308be3cd9258e82c10e463f522d186ced759ef8beedf3705fa0f2d65820c92180218afc24ee876f5304a0472d8d3ae6cb2cf7407259abeba45cfbb9
-
Filesize
4.3MB
MD516e09f5ac65b64f3f5413e09d36ffea9
SHA1d44c50881e1ece0429a7a3ae5c2ae84550ae8cf7
SHA256171d023ec89ae530f4575c8b2829e737bef141f4a785afa98800bf9a773ad72b
SHA512b4464866b00ccbedf82c787a7535bea6181eb44023a762b1c9f2a399f16b416734859009087876729cab6cf3967e2e4ac997486383132f1bfb0f7fb3002fcc2e
-
Filesize
3.8MB
MD50b1d7287068caa0072c91d5abcca0bfa
SHA19d667b3d46d82f6583c9e5d3c3f804c19594a2fe
SHA256aff7fecb84eaee5840dcf7cd85a41ab8d3a0035ec16cb151d46d742f0305c48b
SHA5123319896ef67ff8810dd94af90d06cdf3cf6378fedc46c50613a2dda91237df9d317d090437e06cf34b4d48d870daec41103f19999231f9978e1d450822e80c8c
-
Filesize
270KB
MD548fcf073856cb169d38eaf89eb53aa67
SHA1bc8125b12b2000a0b112c76f2c69786c0221d1f7
SHA256ccd0e8d1707cdc3c08b56d58da96aa4fd1de2c11c0997403b701bff4401edf71
SHA512cf66f2e24aad3d80f36a8de8a864be29bc2f7cc1ed2cad3606cf51a13df08c23799f370ccff589cbf92c928aaa0b8330b338ce19381cd2b842a551f0b46efb05
-
Filesize
109KB
MD5622acd176e9cadf272ca86d4828ee844
SHA14017520a99d3b1c126a9a88097bbc7af952d96d5
SHA256844b503e094f02850de16dbd8e15f3445cf419f3ee94ddd3d9a5fccb4595e92b
SHA51210f8e7dbd5bee1bf23d8c7ea519851fd78540895b8c5ae13ed42bcbf810d6ee6ab09181f6f467dac4b11a059636a9e84454153e1b3a8d1f46c0405b18fde242f
-
Filesize
139KB
MD55abe11f2c97a1e268e7d2508359a0e8a
SHA117c1eb3074f65991027916ec8e425e8accb5a62c
SHA25608c9e58fc8e07373092b6b1b7c3eb322725f452ebf5fcb56e4137627f0d4f18b
SHA5122cf2653384e9394bcc079ad85df533c162a28fbc584ecc77f9765a3a0d78ba43b0f1019e9092e7b787ad250fa40c3bd78a5ca17c1c59355c9fba5f3102a6d5e9
-
Filesize
209KB
MD5cf6072ed1f81e11e3712dc33d3577721
SHA1a9da6d69cfd8a7718dcfa9f455c48236b404785e
SHA25670af9f71d6a7371a51e148c32e58682813f5c113b233a5c7e2dba62185b37386
SHA512b9052d0004509041514ffe2d956423237e5cbc2fed43c45e3e91953b365d2c3ff0ad41ddeb3a924f08cd6579354c752f75dd1d8c2469a63a3626666404ada444
-
Filesize
1.0MB
MD598f460705a66a545ead5c8c852bbab1b
SHA1daa9b419881903987d85ea77cc423292925c68e8
SHA256560d64e75b263e1a256279f13ee27ba63eaad19a345d62aa07cb9e627b37ff7e
SHA51214e9a2516d3f7c16cf0015dfc841eda02494e8408f9c0f60596f98563ccac3d90800c638d4911e061625dcf25df6f42e278aacffbfda506a52728701372d60dc
-
Filesize
1.2MB
MD562ccf1fd9ae7d85bec00e3b773335f72
SHA1a4ba2af03fa7996c7b52ac9787e3c224a44ed51c
SHA25638334efb1896dabebb723f264702e2842db62ec9d2bcb790a5a9e7f66808f79a
SHA512d2d0b00c1534010be0675838e41f8fe5a8fbfe890b89900d7c55a07f29de213ef09c0e7bd0d44540e42c218442d788af936812d1a72baeb32051211120671071
-
Filesize
1.7MB
MD557e6b840070cec49101dd1da4b8136fb
SHA1c54447e06ec5fedf371e4f60c9292e644ae65051
SHA256800e78d189b93f96c7e836469e3995dd58d8bfcc8e008eb3696ab0d52f5eafa6
SHA512c4788ceee36c53fe125e6d9822d42d42a2621834a1202c406469ff1fbdfe4fea03d627e3aa9266023781fe114041e47640f45dbd5a94aa3452a56b58a048d4a3
-
Filesize
141KB
MD5769d163013f1bf7f6bb7c8a9e239b9a9
SHA10dfbe963e9f3b8604c126ada9b100082dc1e5d33
SHA25642192257c8214619ad79d3ab1525fdeda2b669249afc175391b4a839b22b1c45
SHA512a7dcab46adf3388d8cd4816bcc5c48e388b019bfa04cbc6949a8741ab3f17a174f2fc39a25f33b189700a869ee8154eb4484ba5990b1dd2c846dfd7c26bc1fe0
-
Filesize
53B
MD5a0a965519146fe02f863c0daf229f4e6
SHA119ce5661375e372af53b8b879f7da7e1fc7bc86e
SHA256a7ee8e59f2998934350dd211d90d3095d46215678c0e3569f71bc6fecafdfcbf
SHA512e3a9e5fc25c7450c1a1c9388f0d2b7be042dda8e842a996cc5e474b5867b79fd0020c65b2ffa9bac74e35730231b8fe0a0533bbd9fd0125403d411b13adb4659
-
Filesize
2KB
MD5f1926612e08e9730ed03c80b16bceae0
SHA142b3dbd75d4d52dcc3f410ae2ee0599babd1c419
SHA256fbb464097497a0bb89b13252092279a8672d647c5a377559bd42c185d9c3a3c4
SHA512ed8d7a2a0ad4dfa81e9833ef272eae1ed6d89cec362cd7e9d01b0b50c8e2e043739b7267c85d228c0c109874f4e07c8e49b09c120a0c5a6c1c8d172597e4d8b4
-
Filesize
3KB
MD51f785f7073a397d9f7cd0b664ffba243
SHA12b7b5ae3e856192ccb5c1e69af2365b03f614ce1
SHA2563bb5769eb0b545bb5e9a22e2ea5fe52b406d8417bcbf6e39e5a3b79f181d2a20
SHA5125bcca0f97f06f899476032829505ab78e4d532a6b7e6ec42a92d46b853bf85044a1a3abb9af4d4e40b1957174dce1994de1de83e3f5c1e8006353efde3a62468
-
Filesize
4KB
MD572e43a4766a980648187b24b17a77385
SHA171175b8fc7916a39b684de5db4132a18336cc142
SHA256fcb767ccba217b0f128c88f10d5c7960834f15a03577f38fc64a70f97a72c7a5
SHA5121cd2408c07c9e65d777ce2010ba8dc1a1bfd3e18aa09ca2dbc79f2e61407bbbb5b8e5764e87ce66576628c880a7a3ac3eef0e7d6e6ec258e2b2beb21eabc9150
-
Filesize
138KB
MD526e0ab6e101a0fe17d76a6cf1ae30ce7
SHA1751d0f0a5ace9430fef996c07c5a8d5d94d19eb8
SHA256c7d580db713a896c078cc83e76e3cc43c0e979d6903f195559b7422f2777956d
SHA51255cfae0738bfacbed884e4e02c137d0fd705af5e68749e834519484dd1e71cf1c307019c397093511b6ac49404e36d336695431b4464d09c5b479063f465c3c9
-
Filesize
536KB
MD54c8a880eabc0b4d462cc4b2472116ea1
SHA1d0a27f553c0fe0e507c7df079485b601d5b592e6
SHA2562026f3c4f830dff6883b88e2647272a52a132f25eb42c0d423e36b3f65a94d08
SHA5126a6cce8c232f46dab9b02d29be5e0675cc1e968e9c2d64d0abc008d20c0a7baeb103a5b1d9b348fa1c4b3af9797dbcb6e168b14b545fb15c2ccd926c3098c31c
-
Filesize
612KB
MD5e4fece18310e23b1d8fee993e35e7a6f
SHA19fd3a7f0522d36c2bf0e64fc510c6eea3603b564
SHA25602bdde38e4c6bd795a092d496b8d6060cdbe71e22ef4d7a204e3050c1be44fa9
SHA5122fb5f8d63a39ba5e93505df3a643d14e286fe34b11984cbed4b88e8a07517c03efb3a7bf9d61cf1ec73b0a20d83f9e6068e61950a61d649b8d36082bb034ddfc
-
Filesize
1.7MB
MD57c29f78feaf7661495e7be7ac32a0803
SHA13d0677bfdef0d180309788b9f000229b10e14fad
SHA25673e075059c5d3461e7241fd43eceef2136fcc1509b2aecff34992549d0bbaa66
SHA512fb7574a991b9cd1526d73a40f994d9856679d37d1a92b519e27ded24461e992f0477cbb6d21d0b2707526c6577e78e5ee9a10b2fc18a90452a9f5acd0d0737f7
-
Filesize
10KB
MD547e87cdf9868b30a1afa45c9335e1bd7
SHA1a53d2bda9be49fcbe44f57c6c020e6d22a07a917
SHA256d9df611e591b4a5f19e444970f35436991c59dd9ce01df235abd9ea54f47956d
SHA512e21a04d4728c0a462a46539beb76701ff7c8e7130541ec2d8b6f2bcb99ea41a44c9edb190094cd4a97b814c2cd831d7fe5911156dbb1f51dceafdd5bbed1cdec
-
Filesize
254B
MD561f326fcc7836aed4e73e80e30805c64
SHA1f6f043e7d2ea0e4bc0caa55edbdf26af608e3d84
SHA2567f433da24a0061531c3736e98bf75e274e726e3f76ae5022e8d688fa901edc8b
SHA512f5873432d55919f5d55666b9f0ae41f4f3de24d35ae711e6ec9013431ca867b15c7908ee467c16a4c245a493aba30855f6e87b79488298f61d6df79cc0b10f3c
-
Filesize
3.2MB
MD56d2dce9b468a057fd6cca4ff7ede4065
SHA1a92100c859bbadbdea3208fc30238d247ec2dcd5
SHA256cf2f060fb4a47698fcecdb5982fa42535285bb5a4675e90faff03034a82d7c0a
SHA51285e80cf3348e8f9f8f275a967d6415e891f840e8ff82db31818609b74a123755981fa238d36f2b42d5cf16764567391735eadf87d38580936c5d2b180305daec
-
Filesize
215KB
MD59ad48b5803cb70dfa691a14aa0886405
SHA11ee4cc6ad2357bb2c7ed7b5c918e3e97281c6fe5
SHA256ffc67f8f07e4f99a3b35e6f52f8d377e90ceb5a7d6374de7415939105e892c23
SHA5125d66ab546e60052d72f7849fed90fc31b15fa8302da1ff7bb771aa974f0892afba8bcab08e7c511d479974c2d8a7ade845a3746daaed8e4de63bf94dc75e7754
-
Filesize
141KB
MD5dd7718c47be33460bf6a2e7e8cd23abf
SHA1ca6ec2d440c2979868ced704b0a213c4fc28dde6
SHA256fa11f6fdab28b1184b490d429b724b1abe1c6f060d97b76af122a8ea9d697aa1
SHA512ea9b184ecfd67d3b58d749a5bf18b62acebab7c9e29f5b49af0e051795912e03679fd2befe503495dddc601be561c31e870344e6712d8583c9f3b97c414681a3
-
Filesize
1.3MB
MD57a6ca73b982bb0c804a7f7139ee29c28
SHA1ccbb623d5b608010852714545f92ee3c6b989cbe
SHA256d08f90548ffa3dff8bd8b0247c0c54f0e14a5a56bb037c8846f7954e10129908
SHA5124c39e747843d67fd2524438d74b588b28f57c4e1b16f1abc05d80c56314181a67c1c618a428b494dff485d0087f891a95e06cc06304b191132cc32c3807a2aad
-
Filesize
126B
MD544c8683c74e66757dc9415f901290180
SHA1991d5bc15e83eeac1c4dbd50be31f0088bad7a35
SHA25626aa8f4e3c70a79a5d2fb4d2d53be3cc6bb81bafb6cac51f8b5c50069d5707ca
SHA512f30613ebcb782b9cbdee079f731cd63ef761fcc2f0896727066ce2d641713849c9e1f280594582d351eff4319983a5cf6b7449d3b2a0d77d8ed7cc3638bb6d90
-
Filesize
1KB
MD5985eb65c0ff46bd7cb5d1cec29548496
SHA18241da72e9de6d1920b7920a4716db0618075ebf
SHA2567f70d223536357926a9cacb2e9adbcdc4604e3f4d5891c5576bee754db8000e5
SHA512e4095f19b5bb3d7b75ada2dc0dad15e236dbefb25f2081d8196657b6766a52160d618d0cf72fdaca4bfb2068d2d4e0ac6affa3d781cf431e5a71a10c02332093
-
Filesize
14KB
MD5cb9973f9ff5680b3974161985a13a57b
SHA110e8febd106c21018bffb3ef08653c4fa497a5a1
SHA256815850db0114df05268c8356d04e54aa90150bd6ee0aba515fa5b1796fdf58fb
SHA51251fe6a390728c258d85ff705064718df7c9f60d9594b43e66eb646b00525f44df270a8b3264bfa4c1e6a9dc03f84e75451fd8dcc97898a1c9dcf75748406c864
-
Filesize
31KB
MD5846aae27971cd860249f58206b65aec1
SHA130adc484f6b3aaa808e5fe1d73388e3c4d29b42a
SHA2560d23bfddd2676a98c0a5538f2aee86b7b89aeca62c7feec923e7b53cce00e097
SHA512339eacfc25526d2da52034926bd979002251814e03d360be375c968825f224dd0e3362f56a796acc54c221f444e504202356012bf2ed9835e97df81d5ed92baf
-
Filesize
44KB
MD51ff1183a827ed85e11bd62f6dbd9ec41
SHA16a2e28597a5e744cee25488393e800b006aaadf1
SHA256e65b5c4c7950b54f2035a0142d8f2631bc47438ce62c2266baad577f9667fd00
SHA512517171fe18e3649149d62ee4981c747e6d9126c1b70285ddfc660a857934144b6a24d93241c852a5e590548c3317af1cc0a92efd7549d55e7f40cd2f210e9754
-
Filesize
30KB
MD5dc9483a72c3f9c7b9a4d9ae1d481a93a
SHA1d2f8284dc01eac9058cc16bfdea76922d0f6d9a8
SHA256b7666307c9b8a87f186179fc7cadbe75198eb3e7497463b65715184fff55c9f4
SHA512ae1bab21d7a5a36431b6be6b85f2035ef0bc53c5b925fa0ce89ad33e258bd586f9e38a84d023cd791d6184cfcada821aee928e24caf72b7d35f1428169285c0f
-
Filesize
4KB
MD5627e57e623dd53cf5c289d5bb87488c9
SHA11de200ac6c954df2727cccc45630de98923e6ccd
SHA25618928d9646bd62f06af52d10c2b7b52b20a11b861aaaff6f33addbec6eab4f3a
SHA5126ded9f03ebb0d35a522f731be5666930a5f2f6b94fb5b136e17adaaf9fd59b663748ead45b727da96b3263c43b830ec2cc625e673d0b7ec4851ab6dc80fd43c3
-
Filesize
7KB
MD5faa5761c09f02076cbb660ee91c90a3f
SHA1d039a541ed3f714d70f438c07b638d0fdcd63684
SHA2560ed6dda5ab6f3bb62608fbc53545342785be0e05bb53a31ae43e0ce84de24caa
SHA51284e3835da9bbb162c3a13708ef6ced2162310ff8c3e5b99c70d298b56b9b138b4bd43a7f067efdfb3589a9a88c0dc6dda1f78246d8e577d0c3c7526af96382ec
-
Filesize
102KB
MD5b9dbe0f666cac12f67c805da560af5e8
SHA118c051e626db45e4c0dfb850602481a4260b3841
SHA256bf2cc65a64f257fec244cb3c423285069b18eb0063590f09150f60bc80e0d474
SHA512e77142e71f9fe33e7fb9a334f89a86f61fd04254c8b32334934dc75e66764c1595ea111c45fb124b616fc9425accb656e37a92e857be413cb4eaae2a0d455d97
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
732KB
-
Filesize
1.2MB
-
Filesize
4.2MB
-
Filesize
912KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
400KB
-
Filesize
764KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
1.7MB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
180KB
-
Filesize
5.0MB
-
Filesize
96KB
-
Filesize
1.3MB
-
Filesize
1.0MB
-
Filesize
3.5MB
-
Filesize
156KB
-
Filesize
56KB
-
Filesize
916KB
-
Filesize
340KB
-
Filesize
1.2MB
-
Filesize
292KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB