1f2f0fcf6f0870dd3ad85410d6a94a840c9ab5d89a003288ec5c77aae0a0d5f4

Analysis

max time kernel
7s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner1/CCUpdate.exe
Size

697KB
MD5

0f0b90a01f049665ca511335f9f0bf2e
SHA1

baf4016e50050b24925437864bfb3c19d0baa901
SHA256

4ad9635351c8e8579c4d4c2bdd679ea7b135ec329adc6fd5d8211255e2e666be
SHA512

44da936d020e857bf3bfa2bcc7a91182da9c1f320fe041bb2836d4e8ae99d4b939ea27842b49b9a2cd24e09c7698579617584d431a2b2f7eafdafa1fb9a59c50
SSDEEP

12288:VBkGdCMw6KJx17OeNg086YN/ggggMDMCy/VmuqLZeviFGQ2mfzAuEUVoFY:VBkeFw62+ggggMvGmev/6ZEUVoFY

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CCUpdate.ini	CCUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2784	CCUpdate.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1284	CCUpdate.exe
Token: SeShutdownPrivilege	2784	CCUpdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30
PID 1284 wrote to memory of 2784	1284	CCUpdate.exe	30

C:\Users\Admin\AppData\Local\Temp\CCleaner1\CCUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner1\CCUpdate.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\CCleaner1\CCUpdate.exe
  CCUpdate.exe /emupdater /applydll "C:\Users\Admin\AppData\Local\Temp\b05e9903-43b5-4488-a8f5-fcc86310546f.dll"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a5f526a-3b37-4e7d-ab92-8bdf3091a6d3.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Users\Admin\AppData\Local\Temp\b05e9903-43b5-4488-a8f5-fcc86310546f.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads