analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://download.ccleaner.com/ccsetup556.exe

Full analysis: https://app.any.run/tasks/f1cdad8e-253e-436a-9006-e0643f929d43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 14, 2019, 20:04:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

1E5194F5ECE9C97C289B2EC5CB7CB30F

SHA1:

936B61CB96FF3F8AB55F5F401805F229C5EA52DB

SHA256:

146109C04B081955AD96A243696E7718BA954E26C6DC85EBE86ADA7E98CE1793

SSDEEP:

3:N8SElvdyZhWARQ7T0Cn:2SKCQXJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ccsetup556[1].exe (PID: 1336)
      • ccsetup556[1].exe (PID: 2100)
      • nsD055.tmp (PID: 3516)
      • CCleaner.exe (PID: 1520)
      • CCUpdate.exe (PID: 3608)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)
      • CCUpdate.exe (PID: 1708)

    • Changes settings of System certificates

      • ccsetup556[1].exe (PID: 2100)

    • Actions looks like stealing of personal data

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)

    • Loads dropped or rewritten executable

      • ccsetup556[1].exe (PID: 2100)
      • CCUpdate.exe (PID: 1708)

    • Loads the Task Scheduler COM API

      • CCleaner.exe (PID: 1520)
      • CCUpdate.exe (PID: 3608)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)

    • Changes the autorun value in the registry

      • CCleaner.exe (PID: 756)
      • CCleaner.exe (PID: 2116)

    • Downloads executable files from the Internet

      • CCUpdate.exe (PID: 3608)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1928)
      • iexplore.exe (PID: 2520)
      • ccsetup556[1].exe (PID: 2100)
      • CCUpdate.exe (PID: 3608)

    • Adds / modifies Windows certificates

      • ccsetup556[1].exe (PID: 2100)

    • Reads internet explorer settings

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)

    • Reads Internet Cache Settings

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)

    • Low-level read access rights to disk partition

      • ccsetup556[1].exe (PID: 2100)
      • CCUpdate.exe (PID: 3608)
      • CCleaner.exe (PID: 2116)
      • CCUpdate.exe (PID: 1708)
      • CCleaner.exe (PID: 756)

    • Creates files in the program directory

      • ccsetup556[1].exe (PID: 2100)
      • CCUpdate.exe (PID: 3608)

    • Reads the cookies of Mozilla Firefox

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)

    • Modifies the open verb of a shell class

      • ccsetup556[1].exe (PID: 2100)

    • Reads Environment values

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 756)
      • CCleaner.exe (PID: 2116)

    • Reads the cookies of Google Chrome

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)

    • Starts application with an unusual extension

      • ccsetup556[1].exe (PID: 2100)

    • Creates a software uninstall entry

      • ccsetup556[1].exe (PID: 2100)

    • Reads CPU info

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)

    • Creates files in the user directory

      • ccsetup556[1].exe (PID: 2100)
      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)

    • Application launched itself

      • CCUpdate.exe (PID: 3608)
      • CCleaner.exe (PID: 2116)

    • Removes files from Windows directory

      • CCleaner.exe (PID: 2116)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 1928)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 1928)

    • Changes internet zones settings

      • iexplore.exe (PID: 2520)

    • Reads settings of System Certificates

      • CCleaner.exe (PID: 2116)
      • CCleaner.exe (PID: 756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe ccsetup556[1].exe no specs ccsetup556[1].exe nsd055.tmp no specs ping.exe no specs ccleaner.exe no specs ccupdate.exe ccleaner.exe ccupdate.exe ccleaner.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1336"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ccsetup556[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ccsetup556[1].exeiexplore.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
MEDIUM
Description:
CCleaner Installer
Exit code:
3221226540
Version:
5.56.0.7144
2100"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ccsetup556[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ccsetup556[1].exe
iexplore.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner Installer
Exit code:
3221225547
Version:
5.56.0.7144
3516"C:\Users\admin\AppData\Local\Temp\nstA675.tmp\nsD055.tmp" C:\Windows\system32\ping.exe -n 1 -w 5000 www.ccleaner.comC:\Users\admin\AppData\Local\Temp\nstA675.tmp\nsD055.tmpccsetup556[1].exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3492C:\Windows\system32\ping.exe -n 1 -w 5000 www.ccleaner.comC:\Windows\system32\ping.exensD055.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1520"C:\Program Files\CCleaner\CCleaner.exe" /createSkipUAC 5.35.6210C:\Program Files\CCleaner\CCleaner.execcsetup556[1].exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Exit code:
0
Version:
5.56.0.7144
3608"C:\Program Files\CCleaner\CCUpdate.exe" /regC:\Program Files\CCleaner\CCUpdate.exe
ccsetup556[1].exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner emergency updater
Exit code:
0
Version:
19.2.566.0
2116"C:\Program Files\CCleaner\CCleaner.exe" C:\Program Files\CCleaner\CCleaner.exe
ccsetup556[1].exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner
Version:
5.56.0.7144
1708CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\0de4e8a6-8d9a-46ad-bd91-629db2cb59fb.dll"C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe
User:
admin
Company:
Piriform Software Ltd
Integrity Level:
HIGH
Description:
CCleaner emergency updater
Exit code:
0
Version:
19.2.566.0
Total events
5 080
Read events
4 752
Write events
0
Delete events
0

Modification events

No data
Executable files
133
Suspicious files
35
Text files
78
Unknown types
17

Dropped files

PID
Process
Filename
Type
2520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2520iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4F282D375D21997B.TMP
MD5:
SHA256:
1928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019041420190415\index.datdat
MD5:CBB56D4E990B7DACFE1FAAE7457635FC
SHA256:076036E78ECDBEB156DE9DF313FADB4E402CEF6FC4333556651BC1C13B1A7CFE
2520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019041420190415\index.datdat
MD5:046D9A6B239064C8617CD6D0243547AF
SHA256:94FC9EDC1D3184A8618F4B6DEEF6876F93E622923EFF0E7391B3049E794893E2
1928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RDSLDLKH\ccsetup556[1].exeexecutable
MD5:A0C39756DEEC65E6746236A5261ADC81
SHA256:E31E856BFDEF7FF99BD8C21495F087F8A4F4BBFCB5DA874E2FA168BC6220E78A
2520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ccsetup556[1].exeexecutable
MD5:A0C39756DEEC65E6746236A5261ADC81
SHA256:E31E856BFDEF7FF99BD8C21495F087F8A4F4BBFCB5DA874E2FA168BC6220E78A
1928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:805BD3BF206C37C96D5C2D3A037EADE8
SHA256:00F8DD7A8FFE73BA3DD04A75F3FDE267AFAAD7370E0E692CC3C99E53AD6F51A0
2520iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{88BB8168-5EF0-11E9-B63D-5254004A04AF}.datbinary
MD5:D190B38A5A4439EA621C494C4D589426
SHA256:DA7F69BB7DA8A3B30D4EFF6CEF0D858DC7F43B8AA18398A36564DF166132E987
1928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A08B4BB0C47838583CEDE69D14026C36
SHA256:C8A8540B86D2362435A13D8970AD6DDAA6EDF8130C20CFAD546831A5FCD572D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
18
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3608
CCUpdate.exe
HEAD
200
2.16.106.147:80
http://emupdate.avcdn.net/files/emupdate/pong.txt
unknown
whitelisted
3608
CCUpdate.exe
GET
200
5.62.38.20:80
http://ip-info.ff.avast.com/v2/info
NL
text
360 b
whitelisted
2116
CCleaner.exe
GET
200
151.101.2.109:80
http://license.piriform.com/verify/?p=ccpro&c=cc&cv=5.56.7144&l=1033&lk=CJ9T-J7CU-SPNV-GWMB-WBEC&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gd=f2b18f71-0d46-4a32-87b9-659ca2662cc0
US
html
5.58 Kb
whitelisted
2100
ccsetup556[1].exe
GET
200
151.101.0.64:80
http://service.piriform.com/installcheck.aspx?p=1&v=5.56.7144&vx=5.35.6210&l=1033&b=1&o=6.1W3&g=2&i=1&a=0&e=0&n=ccsetup556[1].exe&id=003&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gd=f2b18f71-0d46-4a32-87b9-659ca2662cc0
US
text
4 b
whitelisted
1708
CCUpdate.exe
GET
200
5.62.38.20:80
http://ip-info.ff.avast.com/v2/info
NL
text
360 b
whitelisted
2116
CCleaner.exe
GET
200
151.101.2.202:80
http://www.ccleaner.com/auto?a=0&p=cc&v=5.56.7144&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gd=f2b18f71-0d46-4a32-87b9-659ca2662cc0
US
text
23 b
whitelisted
3608
CCUpdate.exe
GET
200
2.16.106.185:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/updates.xml
unknown
xml
1.55 Kb
whitelisted
3608
CCUpdate.exe
GET
200
2.16.106.185:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/patches.ini
unknown
ini
170 b
whitelisted
3608
CCUpdate.exe
GET
200
2.16.106.185:80
http://ccleaner.tools.avcdn.net/tools/ccleaner/update/20180205.dll
unknown
executable
469 Kb
whitelisted
1708
CCUpdate.exe
GET
200
216.58.207.78:80
http://www.google-analytics.com/collect?v=1&tid=UA-58120669-26&t=event&cid=97b7721c4994e2556ff6a439510f665db45337a341a47e15f4997584423bf714&ec=20180910&ea=executed&el=1&ev=0
US
image
35 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2520
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1708
CCUpdate.exe
5.62.38.20:80
ip-info.ff.avast.com
AVAST Software s.r.o.
NL
suspicious
2100
ccsetup556[1].exe
151.101.0.64:80
service.piriform.com
Fastly
US
whitelisted
1708
CCUpdate.exe
216.58.207.78:80
www.google-analytics.com
Google Inc.
US
whitelisted
756
CCleaner.exe
151.101.2.109:443
license.piriform.com
Fastly
US
suspicious
3608
CCUpdate.exe
5.62.38.20:80
ip-info.ff.avast.com
AVAST Software s.r.o.
NL
suspicious
756
CCleaner.exe
5.62.40.204:443
analytics.ff.avast.com
AVAST Software s.r.o.
DE
malicious
3608
CCUpdate.exe
2.16.106.147:80
emupdate.avcdn.net
Akamai International B.V.
whitelisted
2116
CCleaner.exe
151.101.2.109:80
license.piriform.com
Fastly
US
suspicious
3608
CCUpdate.exe
2.16.106.185:80
ccleaner.tools.avcdn.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
download.ccleaner.com
  • 13.32.219.75
  • 13.32.219.76
  • 13.32.219.219
  • 13.32.219.236
shared
analytics.ff.avast.com
  • 5.62.40.204
  • 77.234.45.54
whitelisted
www.ccleaner.com
  • 151.101.2.202
  • 151.101.66.202
  • 151.101.130.202
  • 151.101.194.202
whitelisted
service.piriform.com
  • 151.101.0.64
  • 151.101.64.64
  • 151.101.128.64
  • 151.101.192.64
whitelisted
shepherd.ff.avast.com
  • 5.62.40.202
  • 5.62.40.201
whitelisted
ip-info.ff.avast.com
  • 5.62.38.21
  • 5.62.38.20
whitelisted
emupdate.avcdn.net
  • 2.16.106.187
  • 2.16.106.147
whitelisted
ccleaner.tools.avcdn.net
  • 2.16.106.178
  • 2.16.106.185
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted

Threats

PID
Process
Class
Message
1928
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3608
CCUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2116
CCleaner.exe
Misc activity
SUSPICIOUS [PTsecurity] Bundled.Toolbar.Google potentially unsafe
Process
Message
CCleaner.exe
self.ready
CCleaner.exe
OnData Not UsingRemoteContent OnData ShowUpsell=0 ShowCross=0 ShowTip=true
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://download.ccleaner.com/ccsetup556.exe