c3897cae08e39f70508d372e8e60b99da4490ae09139da8199a5ba70ab254725

Analysis

max time kernel
70s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCleaner64.exe
Size

43.8MB
MD5

f116a86b8e6235cc551f30e1559d8d1d
SHA1

0f5fd9e2d38068d58c222b6a78a7171a419e0575
SHA256

c3897cae08e39f70508d372e8e60b99da4490ae09139da8199a5ba70ab254725
SHA512

14293608ec71b50ab875421cd3cb37006957e03aae54c95131a6c212f95e11fb3120a9024e99ad9dce9d3e6feffe9e98fac6bc80cb3a6bd3cc971ccd4485c0a0
SSDEEP

393216:qWtZTh5KxtGKB29mUXV+OJzZU59yx2i57CszyrQxZh6V4/rqNwp3JP+R4XjXhSpK:qWDh5K2n57rqQoiJP+R4zXs1K

Score

6^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Avira\AntiVirus	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Avast Software\Avast	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Speedup	CCleaner64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCleaner64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	CCleaner64.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\addinutil.exe.log	CCleaner64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	CCleaner64.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\logs\scesetup.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.Old.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	CCleaner64.exe
File opened for modification	C:\Windows\DtcInstall.log	CCleaner64.exe
File opened for modification	C:\Windows\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\lsasetup.log	CCleaner64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\sammui.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\setuperr.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	CCleaner64.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20250401154749.log	CCleaner64.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	CCleaner64.exe
File opened for modification	C:\Windows\Panther\setupact.log	CCleaner64.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log	CCleaner64.exe
File opened for modification	C:\Windows\Debug\NetSetup.LOG	CCleaner64.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	CCleaner64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleaner64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleaner64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	CCleaner64.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	CCleaner64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe
Token: SeShutdownPrivilege	2488	CCleaner64.exe
Token: SeCreatePagefilePrivilege	2488	CCleaner64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2488	CCleaner64.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2488	CCleaner64.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2488	CCleaner64.exe
2488	CCleaner64.exe
2488	CCleaner64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe
"C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe"
1⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in System32 directory
- Checks system information in the registry
- Drops file in Windows directory
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
e456fcad0caa8d2c1713085a1fa6a9e8

SHA1
6f870a4bb91b436dbe98beb96a4910256fcf3642

SHA256
72ead5e24a1047427ebb2e129e21a13ae6e79d56ad659507811df6c1910c0e3d

SHA512
21ce37a22a760593ae8053d019102e09ac76a7b4f7484c94821c0b6e5a29f78d5f73c3593f01e8e1b37b08a7933a4a014a5e04ab275391b90b481c4b95fd3d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
e61f5abd89a3372fa131928e7de4ff47

SHA1
de25aa8e349828514d894dab38bb9989e0d0dd16

SHA256
8272405f12e8a733112e937ec684a2c27d35725d9196c9d8b4129ba1f537b294

SHA512
09367f92059d9a81504db4403ee18c5bdcad63b6c149129fdb79db1c90eb29568f4c6f5a4922e6de57de20cb1e60430d76890e67084d4d0885eac51e5f73f8a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
a49cd0330dbaff51a5af8b298cd500e8

SHA1
8d5ef47805c4268d2f8fdc13ab238c2ac1bbae71

SHA256
8f8bb1b9f9042f629ca7c51a040a69ab5ad41582fbd5aef8a41d6551b7c5bc46

SHA512
ce0ea277a04b1b275e6edf2b34b686789e1137b8380554031ab4b444d4d60a9b1c36aa877404e469d7e9463c635316aca2dcc78738b50d7b812b4963a2da200d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
776e186c2e770e31acb58d22a4dc5b8d

SHA1
43505d748870752dc135d34924d60fb375e8d271

SHA256
cbe1bdc06e902245eee9b7c10cc39037fbf4037fdc3fffba7e69003a1e84b62a

SHA512
91ded9cef3c8c2197a612c4f9a086622042fc66ce5840630048eda2ea01ec5d205aa9c5ac16b0c610b8e7afe05b465bf9d575e806d71d259fad9ad87f07cacb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
1bd01e272816242f8433a1a5a2575023

SHA1
81e03a06ac1cf10d3499b3e0b3ae53188bb04479

SHA256
a06d285e2d5de432be77146555ff195d53861ca8ce5bb9c8794b92505de62b8c

SHA512
99d99cf3d5c687e201da259ec3253b5088f650236ffa9a59746c4426c8ed3041cadd16e724f07216591dad922b2f168d656568e209724578c0e88d6e08ba41ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
8f06a75aaca7f44074cc4642402247e3

SHA1
f38fbe47f0708a88732baf06b04447169945e9fb

SHA256
d4817de9865f2edf5344510cc4903e62b3cf445fb2fd0eb4936d151af0265deb

SHA512
c4dc16f14a30298c6f75aa037d959c597c97d84144f3121916a1104d783f43c8e851d9272acb351b7f360f0d1740ee8b67e63f117bb74e65afa83f94199aece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17435224702488.dll

Filesize
740KB

MD5
f17f96322f8741fe86699963a1812897

SHA1
a8433cab1deb9c128c745057a809b42110001f55

SHA256
8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

SHA512
f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

Download Submit
memory/2488-44-0x0000025078250000-0x0000025078258000-memory.dmp

Filesize
32KB

Download
memory/2488-53-0x0000025078200000-0x0000025078201000-memory.dmp

Filesize
4KB

Download
memory/2488-18-0x0000025077CD0000-0x0000025077CE0000-memory.dmp

Filesize
64KB

Download
memory/2488-24-0x0000025077D30000-0x0000025077D40000-memory.dmp

Filesize
64KB

Download
memory/2488-42-0x0000025078370000-0x0000025078378000-memory.dmp

Filesize
32KB

Download
memory/2488-0-0x00007FFA21250000-0x00007FFA21251000-memory.dmp

Filesize
4KB

Download
memory/2488-45-0x0000025078240000-0x0000025078241000-memory.dmp

Filesize
4KB

Download
memory/2488-47-0x0000025078250000-0x0000025078258000-memory.dmp

Filesize
32KB

Download
memory/2488-50-0x0000025078240000-0x0000025078248000-memory.dmp

Filesize
32KB

Download
memory/2488-7-0x00007FFA1FC60000-0x00007FFA1FC61000-memory.dmp

Filesize
4KB

Download
memory/2488-6-0x00007FFA21290000-0x00007FFA21291000-memory.dmp

Filesize
4KB

Download
memory/2488-65-0x00000250782F0000-0x00000250782F8000-memory.dmp

Filesize
32KB

Download
memory/2488-67-0x0000025078330000-0x0000025078338000-memory.dmp

Filesize
32KB

Download
memory/2488-70-0x0000025078240000-0x0000025078241000-memory.dmp

Filesize
4KB

Download
memory/2488-74-0x0000025078200000-0x0000025078201000-memory.dmp

Filesize
4KB

Download
memory/2488-5-0x00007FFA212F0000-0x00007FFA212F1000-memory.dmp

Filesize
4KB

Download
memory/2488-4-0x00007FFA21280000-0x00007FFA21281000-memory.dmp

Filesize
4KB

Download
memory/2488-3-0x00007FFA212C0000-0x00007FFA212C1000-memory.dmp

Filesize
4KB

Download
memory/2488-2-0x00007FFA21270000-0x00007FFA21271000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x00007FFA21260000-0x00007FFA21261000-memory.dmp

Filesize
4KB

Download