d7314ef013e8b31545e7e726328281f813b0e8e291f2e1329af888b2b74187dc

Analysis

max time kernel
53s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-01-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0 - Piriform-BlockerKeyVerificator_RunAsAdministrator.cmd
Size

4KB
MD5

6ba5c46261ff52e7438f21ccef5f8c7e
SHA1

acdf309fbfebecb7a93b78068fc1498fae4d9e62
SHA256

f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e
SHA512

106b05fbeca31c78e5e5f33cbd62580aac1b4ef781a78ac2cbe80f92eb01f75beeaa480772dcf2f9f2bbea178e681aff2247dd3d08387b35ca507b90b4a5cc43
SSDEEP

96:zGXTD6E4YsQlPtYyjZW0vQH5aROc37gC9r2of6:zeDn4YsQlPtYyjZW0vQH5aROc37gC9rA

Score

8^/10

discovery exploit

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeattrib.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

472 takeown.exe
900 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

472 takeown.exe
900 icacls.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

444 timeout.exe
1576 timeout.exe

pid	process
472	takeown.exe
900	icacls.exe

pid	process
472	takeown.exe
900	icacls.exe

pid	process
444	timeout.exe
1576	timeout.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 888 wrote to memory of 1172	888	cmd.exe	fltMC.exe
PID 888 wrote to memory of 1172	888	cmd.exe	fltMC.exe
PID 888 wrote to memory of 1172	888	cmd.exe	fltMC.exe
PID 888 wrote to memory of 444	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 444	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 444	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 472	888	cmd.exe	takeown.exe
PID 888 wrote to memory of 472	888	cmd.exe	takeown.exe
PID 888 wrote to memory of 472	888	cmd.exe	takeown.exe
PID 888 wrote to memory of 900	888	cmd.exe	icacls.exe
PID 888 wrote to memory of 900	888	cmd.exe	icacls.exe
PID 888 wrote to memory of 900	888	cmd.exe	icacls.exe
PID 888 wrote to memory of 1220	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 1220	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 1220	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 1524	888	cmd.exe	find.exe
PID 888 wrote to memory of 1524	888	cmd.exe	find.exe
PID 888 wrote to memory of 1524	888	cmd.exe	find.exe
PID 888 wrote to memory of 792	888	cmd.exe	find.exe
PID 888 wrote to memory of 792	888	cmd.exe	find.exe
PID 888 wrote to memory of 792	888	cmd.exe	find.exe
PID 888 wrote to memory of 268	888	cmd.exe	find.exe
PID 888 wrote to memory of 268	888	cmd.exe	find.exe
PID 888 wrote to memory of 268	888	cmd.exe	find.exe
PID 888 wrote to memory of 1752	888	cmd.exe	find.exe
PID 888 wrote to memory of 1752	888	cmd.exe	find.exe
PID 888 wrote to memory of 1752	888	cmd.exe	find.exe
PID 888 wrote to memory of 556	888	cmd.exe	find.exe
PID 888 wrote to memory of 556	888	cmd.exe	find.exe
PID 888 wrote to memory of 556	888	cmd.exe	find.exe
PID 888 wrote to memory of 1312	888	cmd.exe	find.exe
PID 888 wrote to memory of 1312	888	cmd.exe	find.exe
PID 888 wrote to memory of 1312	888	cmd.exe	find.exe
PID 888 wrote to memory of 1732	888	cmd.exe	find.exe
PID 888 wrote to memory of 1732	888	cmd.exe	find.exe
PID 888 wrote to memory of 1732	888	cmd.exe	find.exe
PID 888 wrote to memory of 572	888	cmd.exe	find.exe
PID 888 wrote to memory of 572	888	cmd.exe	find.exe
PID 888 wrote to memory of 572	888	cmd.exe	find.exe
PID 888 wrote to memory of 316	888	cmd.exe	find.exe
PID 888 wrote to memory of 316	888	cmd.exe	find.exe
PID 888 wrote to memory of 316	888	cmd.exe	find.exe
PID 888 wrote to memory of 1692	888	cmd.exe	find.exe
PID 888 wrote to memory of 1692	888	cmd.exe	find.exe
PID 888 wrote to memory of 1692	888	cmd.exe	find.exe
PID 888 wrote to memory of 1680	888	cmd.exe	find.exe
PID 888 wrote to memory of 1680	888	cmd.exe	find.exe
PID 888 wrote to memory of 1680	888	cmd.exe	find.exe
PID 888 wrote to memory of 1656	888	cmd.exe	find.exe
PID 888 wrote to memory of 1656	888	cmd.exe	find.exe
PID 888 wrote to memory of 1656	888	cmd.exe	find.exe
PID 888 wrote to memory of 928	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 928	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 928	888	cmd.exe	attrib.exe
PID 888 wrote to memory of 1576	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 1576	888	cmd.exe	timeout.exe
PID 888 wrote to memory of 1576	888	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1220 attrib.exe
928 attrib.exe

pid	process
1220	attrib.exe
928	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0 - Piriform-BlockerKeyVerificator_RunAsAdministrator.cmd"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\fltMC.exe
fltmc
2⤵
PID:1172

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:444

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:472

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:900

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1220

C:\Windows\system32\find.exe
FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1524

C:\Windows\system32\find.exe
FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:792

C:\Windows\system32\find.exe
FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:268

C:\Windows\system32\find.exe
FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1752

C:\Windows\system32\find.exe
FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:556

C:\Windows\system32\find.exe
FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1312

C:\Windows\system32\find.exe
FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1732

C:\Windows\system32\find.exe
FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:572

C:\Windows\system32\find.exe
FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:316

C:\Windows\system32\find.exe
FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1692

C:\Windows\system32\find.exe
FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1680

C:\Windows\system32\find.exe
FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
2⤵
PID:1656

C:\Windows\system32\attrib.exe
attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:928

C:\Windows\system32\timeout.exe
timeout -1
2⤵
- Delays execution with timeout.exe
PID:1576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\drivers\etc\hosts
Filesize
860B

MD5
068b41bfeb76dae036c850c44c120de4

SHA1
c57dfc4cc500cec4e355cc4442c691a88fae0957

SHA256
8e4a6a8935ff1b0d74175d7557793a25c64fa499d0032062b849ecdbd414e6b3

SHA512
f2f52c0336f9c693d30002d269b0c56ed6eb899cc16f9373b31b7bc2d47dc1818bff60a0ed0f98158b73619ce8ce3bae4253e55fbdecf130e5d0f7a0b12c422a

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
910B

MD5
c678ca09571516b0b154b7bb16615c6d

SHA1
98d589355c7677ce407bceca0912e361ce463a20

SHA256
3d426cc5f69ec2e4ac6cc872096488ec27d59e4ca4e390f00cb765e573702810

SHA512
8c2b88eff81bc52fadb25411dfc5c702cbaad97f4901a2a490fdc9846dc775844baf3751872266818ca3a4a0ae1d4b07a8a802a4e9726429e2189df767856a50

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
964B

MD5
995d138a41f1b15081df0a9451589261

SHA1
c3c3c2c82a8b635464a47ff24f389d3d05fe0be4

SHA256
ab4a13e1860bb7e217bde555c08e2b4b3186cfcf5e0072793bfa28b69660bc68

SHA512
dc4ab59f7b0e4b84daa892bf1e615c116f75571df965715d5fe84452632a808a6f39b34cc62a0ddd3c39a46eb313bc7583b17478e7592a41853c3b2468aa2536

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1013B

MD5
0d6e797208adb212724c50c3728408e1

SHA1
73cdc6868f848025dccd36a8cfe89807ca8e2a1e

SHA256
d98e575fb9b84e5b45822969a7bee9b51d55ceecd230aec968846f40c5eb0449

SHA512
7fcb4b45c0ac2e1fd923cc24c93b33432747e87ff67cd46d9fec021c083bfe4264521d2ed2ba3453e60e41948b81229c4b95daf36c6db945bc029c2fe425fb81

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
5905a6804cc613f2040ed02be796fff9

SHA1
51742113a11450b3d1c688392274b5d7ae0328e0

SHA256
8a856b271d9ebe03216c64713e1870aa6922083d821a6c6222ca9e0ef7004266

SHA512
8f249142fd409fed2331fb6d9aa0d30aefee8eaf84369377461517c78ae9603505eb23cd83215f3f6029c15dae3dec70cf707b06b7fa0d18073f4dd36336a823

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
bc0000aa28132d22c5e9e3b4c1e7250e

SHA1
746ce30214393f83be7c18359a47a0dd164b5b22

SHA256
2742178eb33a9489f676caa9446f13231221f2444291abec0fc15f6c0152a686

SHA512
0d46083dfdbb35f54a3600eb761b522f9f172d9c2e732251b2304e05de6d304e64128892d94989209e9c3b8adcf2c06981b6aa2a1d364dba1bda3c24ccc16ee2

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
aac5422a2e9bffb60ce03bbc2e24fd57

SHA1
31a4b61a744364f6735c49e5363866875203111d

SHA256
df7d8c446842caafb2df1928dc37e49770f3682af99ae571e26acc5ed91aab11

SHA512
2851de3e369bb1fbf67b8f0eb2e4ec4467da41e54c9cc6142148dcc87d7fd76240e72fce0adbc359a61744285a54618884ba2d0330d545d7c4d337eaab609fd6

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
ab98b10e2d122ab15b87cd98f93477a1

SHA1
f1abffb0d97d3a2c9bbe1f1af93bda307790218b

SHA256
bf23542a44b679195b918d6d81a8c9249073adce461a1d067a5cb7d6f834a2bd

SHA512
59d4d2ce79cda4e3e8af92e8a0e5f83ee6d3dfd3edca46f0bfb2096f88621440e2838001970d2acba8b29109247fe257ced638290c9b579bdbf288e67e914977

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
a06f0e37a224c20fe0a3eb7bc13c4235

SHA1
cc587749fa0eba12d508df329fb91a703e1d73a9

SHA256
14013897e9d424b0c5d9cb2bc00a41adb0b733fdb00085ec0f3736b65a5eaf78

SHA512
249f92c6137bc5a77989957ca7856b27e7be889d4d161e9f4efdd5d3260d1621156afdb37b00e56775aaf9ea4a527ce21f41abc7076fc3afc1953f2941a917b7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
b38cfbcbd2506ec4ebac4c99c8793bd0

SHA1
7ddee9b156a01dbb068c2777acf795fca4c52b0b

SHA256
d95b8af1f473911c5d6950390ccaba5f4ce1cc8723c70851b0b44d696bf8fc8a

SHA512
0176acc00efc2e6ce543940924a409a884612c3711e658e8699411ff7cd2c574f7afce371863da206563eb363ef091e43d160ebbcad446cd320dca08bd37aa54

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
8dfc59bf1369f7f25b40faa93a4ab66e

SHA1
e4a280f6333388ca48727d98198aa2a3387cc4d1

SHA256
369e43332f981ee1cb19aeac61cf7a156cc4eb4989db5576f0a950a2a4fbb244

SHA512
1392bdd342b3ab67e1cc868939280f550e3d8e938af187c8b8c1b42ecdcc041fc0d6a5631d5cb45638a873ad5222c39051abe7066f84af04503712913876e9bf

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
2629955a387082e05aeffc1ec83f0e8b

SHA1
03e59b13caeb0a6be3f2db49fa0ae742b908a7ab

SHA256
f6b6f08f1c06debbf229c9454288ffdd5f9921f04e54fc41009683e4f4e3b537

SHA512
e237a784264636cbfc72274cc69245bd30f99a254e3d9d7d24d628ecb682c9fd073375e031659a5501788f9db86e1795ed7bc3002933d8ece8ea3dbc5af42475

Download Submit
memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/316-74-0x0000000000000000-mapping.dmp

Download
memory/444-55-0x0000000000000000-mapping.dmp

Download
memory/472-56-0x0000000000000000-mapping.dmp

Download
memory/556-66-0x0000000000000000-mapping.dmp

Download
memory/572-72-0x0000000000000000-mapping.dmp

Download
memory/792-60-0x0000000000000000-mapping.dmp

Download
memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/928-82-0x0000000000000000-mapping.dmp

Download
memory/1172-54-0x0000000000000000-mapping.dmp

Download
memory/1220-58-0x0000000000000000-mapping.dmp

Download
memory/1312-68-0x0000000000000000-mapping.dmp

Download
memory/1524-59-0x0000000000000000-mapping.dmp

Download
memory/1576-84-0x0000000000000000-mapping.dmp

Download
memory/1656-80-0x0000000000000000-mapping.dmp

Download
memory/1680-78-0x0000000000000000-mapping.dmp

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1732-70-0x0000000000000000-mapping.dmp

Download
memory/1752-64-0x0000000000000000-mapping.dmp

Download