Malware Analysis Report

2024-09-11 05:42

Sample ID 240701-cvfnxatblh
Target pcoptimizer.exe
SHA256 b308979b80ff6586c755a2e72fb988819ae4b50fb021ab0d1f27b0c6899d2bc1
Tags
bootkit defense_evasion discovery evasion exploit persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b308979b80ff6586c755a2e72fb988819ae4b50fb021ab0d1f27b0c6899d2bc1

Threat Level: Likely malicious

The file pcoptimizer.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit defense_evasion discovery evasion exploit persistence ransomware

Modifies boot configuration data using bcdedit

Possible privilege escalation attempt

Sets file to hidden

Modifies file permissions

Executes dropped EXE

Writes to the Master Boot Record (MBR)

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
File and Directory Permissions Modification
T1222
Windows File and Directory Permissions Modification
T1222.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 02:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 02:23

Reported

2024-07-01 02:24

Platform

win11-20240508-en

Max time kernel

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"

Signatures

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\mbr.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\System32\mbr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\mbr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\mbr.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\mbr.exe C:\Windows\system32\attrib.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe C:\Windows\system32\cmd.exe
PID 3692 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1404 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1404 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1404 wrote to memory of 4784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1404 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mbr.exe
PID 1404 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mbr.exe
PID 1404 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mbr.exe
PID 1404 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1404 wrote to memory of 4264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1404 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1404 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe

"C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\attrib.exe

attrib +s +h C:\Windows\System32\mbr.exe

C:\Windows\System32\mbr.exe

C:\Windows\System32\mbr.exe

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\hal.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\hal.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ci.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ci.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\winload.efi"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\winload.efi" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\SystemApps"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\ImmersiveControlPanel"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\ImmersiveControlPanel" /grant everyone:F

C:\Windows\system32\taskkill.exe

taskkill /f /im discord.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell wininit

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

N/A

Files

memory/4088-9-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System32\mbr.exe

MD5 8562ed46d745dceb3cc268693ca25c83
SHA1 309067f0c9703084654495a47e67f7a40824700d
SHA256 ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c
SHA512 52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat

MD5 c076d53a79bdea72d3252f6e7eabec00
SHA1 bd016c13f09b771218cbb2fed51d0d9c722f439d
SHA256 de3b425e1d62e1d24b9cef8e46a06b00ad08ee3bd08e9e99499de13f7043eb9f
SHA512 f8b18940bb8b61a23d9b700913dc6336bff5b309bca30012bf9d62a06d8c7df2c2e0adccf9670c120bb4b707e2cdbe3587fce266a6bb0409b3e5caee9011f6bd

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhufzkx1.qpq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/776-15-0x0000018EF2530000-0x0000018EF2552000-memory.dmp