Overview

overview

6

Static

static

1

CCleaner64.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    12s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/04/2025, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CCleaner64.exe

  • Size

    43.8MB

  • MD5

    f116a86b8e6235cc551f30e1559d8d1d

  • SHA1

    0f5fd9e2d38068d58c222b6a78a7171a419e0575

  • SHA256

    c3897cae08e39f70508d372e8e60b99da4490ae09139da8199a5ba70ab254725

  • SHA512

    14293608ec71b50ab875421cd3cb37006957e03aae54c95131a6c212f95e11fb3120a9024e99ad9dce9d3e6feffe9e98fac6bc80cb3a6bd3cc971ccd4485c0a0

  • SSDEEP

    393216:qWtZTh5KxtGKB29mUXV+OJzZU59yx2i57CszyrQxZh6V4/rqNwp3JP+R4XjXhSpK:qWDh5K2n57rqQoiJP+R4zXs1K

Score
6/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe
    "C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Checks system information in the registry
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
    Filesize

    512KB

    MD5

    a289e15fdd5e66634c78f53ad06972dd

    SHA1

    5e55e07fbc435ae6202d52d6af86fe8b5a1129db

    SHA256

    0d61a310caf458ad17382c97cbc5986e56c76bacb10df3f704423e0253d4df02

    SHA512

    7a54ad3d10076af7c2cad6eabc6efd5c2a4bc3c3a485e27e54185783587dd14225551e296b447398448a2d8713ed0f59b12e0a2fcaf0ecc65fa3aa41ab660e49

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
    Filesize

    14.0MB

    MD5

    c778563b9898b33fc7a52956ed9ccc98

    SHA1

    1683b1a07fe6b31ce7e566573ddd62b11dc89054

    SHA256

    75c656ba22eb73fa9b80a7bc2d245f5255a2890c7fd892ccdba3d4bf45fe3364

    SHA512

    7eb44dcabf95b1a1cc13c719e4f4ea65de96ac6c08bd95fd205c5f37fd94aecfd929c077b7aec9722686329c705b0d522f32dd90323538c511908217d41a4d98

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
    Filesize

    16KB

    MD5

    994fde8cc035e62baa5200e40cdba686

    SHA1

    456e489d78d4cdda5490e4ab734ebcf34c4e7d10

    SHA256

    39aac4667efb0e99ddf5dc15d3196deed6de20af5110005e69e36b4603be1d11

    SHA512

    255246968424a392497a702173802a7911923ba9a2b3e8fefb956d94a5267904c8fa219a5071d030e7a2628417a7ed422c057ea1a6d26ef096ac0d58eca39e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gcapi_17435232864776.dll
    Filesize

    740KB

    MD5

    f17f96322f8741fe86699963a1812897

    SHA1

    a8433cab1deb9c128c745057a809b42110001f55

    SHA256

    8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb

    SHA512

    f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9

    Download Submit

  • memory/4776-45-0x0000021BF9F90000-0x0000021BF9F98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-46-0x0000021BF9F80000-0x0000021BF9F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-6-0x00007FFD39AD0000-0x00007FFD39AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-7-0x00007FFD38DB0000-0x00007FFD38DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-4-0x00007FFD39AC0000-0x00007FFD39AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-19-0x0000021BF1A10000-0x0000021BF1A20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4776-25-0x0000021BF1A70000-0x0000021BF1A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4776-43-0x0000021BFA0C0000-0x0000021BFA0C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-0-0x00007FFD39A90000-0x00007FFD39A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-5-0x00007FFD39B30000-0x00007FFD39B31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-48-0x0000021BF9F90000-0x0000021BF9F98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-51-0x0000021BF9F80000-0x0000021BF9F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-54-0x0000021BF9F40000-0x0000021BF9F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-3-0x00007FFD39B00000-0x00007FFD39B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-66-0x0000021BFA040000-0x0000021BFA048000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-68-0x0000021BFA080000-0x0000021BFA088000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4776-71-0x0000021BF9F80000-0x0000021BF9F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-75-0x0000021BF9F40000-0x0000021BF9F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-2-0x00007FFD39AB0000-0x00007FFD39AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4776-1-0x00007FFD39AA0000-0x00007FFD39AA1000-memory.dmp

    Filesize

    4KB

    Download