Analysis
-
max time kernel
12s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 15:59
Static task
static1
Behavioral task
behavioral1
Sample
CCleaner64.exe
Resource
win10v2004-20250314-en
General
-
Target
CCleaner64.exe
-
Size
43.8MB
-
MD5
f116a86b8e6235cc551f30e1559d8d1d
-
SHA1
0f5fd9e2d38068d58c222b6a78a7171a419e0575
-
SHA256
c3897cae08e39f70508d372e8e60b99da4490ae09139da8199a5ba70ab254725
-
SHA512
14293608ec71b50ab875421cd3cb37006957e03aae54c95131a6c212f95e11fb3120a9024e99ad9dce9d3e6feffe9e98fac6bc80cb3a6bd3cc971ccd4485c0a0
-
SSDEEP
393216:qWtZTh5KxtGKB29mUXV+OJzZU59yx2i57CszyrQxZh6V4/rqNwp3JP+R4XjXhSpK:qWDh5K2n57rqQoiJP+R4zXs1K
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 CCleaner64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation CCleaner64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer CCleaner64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName CCleaner64.exe -
Loads dropped DLL 1 IoCs
pid Process 4776 CCleaner64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz CCleaner64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor CCleaner64.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor CCleaner64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CCleaner64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz CCleaner64.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 CCleaner64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CCleaner64.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe 4776 CCleaner64.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe Token: SeShutdownPrivilege 4776 CCleaner64.exe Token: SeCreatePagefilePrivilege 4776 CCleaner64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4776 CCleaner64.exe 4776 CCleaner64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner64.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Checks system information in the registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a289e15fdd5e66634c78f53ad06972dd
SHA15e55e07fbc435ae6202d52d6af86fe8b5a1129db
SHA2560d61a310caf458ad17382c97cbc5986e56c76bacb10df3f704423e0253d4df02
SHA5127a54ad3d10076af7c2cad6eabc6efd5c2a4bc3c3a485e27e54185783587dd14225551e296b447398448a2d8713ed0f59b12e0a2fcaf0ecc65fa3aa41ab660e49
-
Filesize
14.0MB
MD5c778563b9898b33fc7a52956ed9ccc98
SHA11683b1a07fe6b31ce7e566573ddd62b11dc89054
SHA25675c656ba22eb73fa9b80a7bc2d245f5255a2890c7fd892ccdba3d4bf45fe3364
SHA5127eb44dcabf95b1a1cc13c719e4f4ea65de96ac6c08bd95fd205c5f37fd94aecfd929c077b7aec9722686329c705b0d522f32dd90323538c511908217d41a4d98
-
Filesize
16KB
MD5994fde8cc035e62baa5200e40cdba686
SHA1456e489d78d4cdda5490e4ab734ebcf34c4e7d10
SHA25639aac4667efb0e99ddf5dc15d3196deed6de20af5110005e69e36b4603be1d11
SHA512255246968424a392497a702173802a7911923ba9a2b3e8fefb956d94a5267904c8fa219a5071d030e7a2628417a7ed422c057ea1a6d26ef096ac0d58eca39e0c
-
Filesize
740KB
MD5f17f96322f8741fe86699963a1812897
SHA1a8433cab1deb9c128c745057a809b42110001f55
SHA2568b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb
SHA512f10586f650a5d602287e6e7aeeaf688b275f0606e20551a70ea616999579acdf7ea2f10cebcfaa817dae4a2fc9076e7fa5b74d9c4b38878fbf590ffe0e7d81c9