Malware Analysis Report

2024-12-07 14:30

Sample ID 241015-q3dfeaxeqg
Target BlockerKeyVerificator_RunAsAdministrator.cmd
SHA256 f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e
Tags
defense_evasion discovery exploit privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e

Threat Level: Likely malicious

The file BlockerKeyVerificator_RunAsAdministrator.cmd was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit privilege_escalation

Drops file in Drivers directory

Possible privilege escalation attempt

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Access Token Manipulation: Create Process with Token

Views/modifies file attributes

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 13:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 13:46

Reported

2024-10-15 13:49

Platform

win10-20240404-en

Max time kernel

74s

Max time network

76s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockerKeyVerificator_RunAsAdministrator.cmd"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\system32\attrib.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\cmd.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Access Token Manipulation: Create Process with Token

defense_evasion privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 5068 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 5068 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5068 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5068 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 5068 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 5068 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 5068 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 5068 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5068 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5068 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 2164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 5004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 3392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5068 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5068 wrote to memory of 756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 5068 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5068 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockerKeyVerificator_RunAsAdministrator.cmd"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\timeout.exe

timeout -1

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\drivers\etc\hosts" /a

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F

C:\Windows\system32\attrib.exe

attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"

C:\Windows\system32\find.exe

FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\find.exe

FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts

C:\Windows\system32\attrib.exe

attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"

C:\Windows\system32\timeout.exe

timeout -1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\system32\drivers\etc\hosts

MD5 18a28ef3d5f8abf84e80e11a8188c554
SHA1 fa6520361625a5602dc327835281aa0a665542cd
SHA256 5a7294df817264ceec493cf27713c6e68cfa93e8279bc46c853fcedc8a84104c
SHA512 457244339de779d6e795978d94520a1e29743519e833e1fef57a9623bfb0511e7fdbdc8af583ecda0dfc5f3dbc19af64e5223a1a25ecd919f36c263f391cec80

C:\Windows\system32\drivers\etc\hosts

MD5 0a6dde25a2b7f016d92e1b738f2046e0
SHA1 c20d58d5636ed663edfd59c39e42384747eed1d3
SHA256 093a14e36a56d11972fc81415cf3a8d7e40df92e7866d29be84528d63b1d2a29
SHA512 ec2e91a9246fb479813d1cfb90bc74927bdd292e1cefeb079b34e4ad3e3339825204cca60e28b9859cf6f5101aa4fe8edb9a8f6a775df564fd81db9de7f2c9f7

C:\Windows\system32\drivers\etc\hosts

MD5 521cf03faee2d9dd30098ffeaa5605af
SHA1 ebc4bbe3382f479cdcbe361d114d7b409e880867
SHA256 6139756bfc8cba29d812a49fea97790734579c427dae38d749aebb9da8daec5f
SHA512 a77bf0a19c6ca945ca2428662727b0d10b7dd5b1cdfefbb621e2543dd46cf9752deda66dd06c93a34a927faf9f2fdd5a367189b56bb12bc652d0e291a975dd9a

C:\Windows\system32\drivers\etc\hosts

MD5 01f8e7708bcc7706bb46c83d26972655
SHA1 16cfd8ee31d81c7bad898cea0e4c4d0749a09297
SHA256 e4df9045dd3340cd022851bda62a8673ac52172700c97e305ba4f70c7d537ef6
SHA512 ae5d1f5e34251bc69bf959eb3d939080d7dc1515571d614553b4d78b73aabc6fe92daab46055284cb10a34cc4830d6b3960e416b044452e777e06098fd118192

C:\Windows\system32\drivers\etc\hosts

MD5 eb3b15744154bb668fbf6a6e0380fa94
SHA1 5aad6232be97f71e6e83cb0635d63c0b417bd82f
SHA256 7ff73df942171101cf67ef53ce36eb5043eaaf11b777b5b90f4ba33fbf8b554f
SHA512 b16575488021c14976f08ec249a9d87979a36b13afe5b2380359c3bf82ba2c6db5adf29e2f7254f5cd5283b5b650a454e46dc61e62e7507f10c56679cb62834a

C:\Windows\system32\drivers\etc\hosts

MD5 4394ced870a0ce75fc9533b00e8505d4
SHA1 1f6b40361c1218277bb0803c11ca411945f45e52
SHA256 c69b6ffc56f3b2638fd40f42621fda3d01e991446fc7e83863385e2cbf3ad154
SHA512 6105fd1cba3fff22bcec34ccd10130d2c494cdbc3fb151284b8eb42f165fbf1dbe8f81ef5e65c160f0e7430b1b828a4cdc5e7135c2373baf248f7325a7dd286a

C:\Windows\system32\drivers\etc\hosts

MD5 13762c1edd84ec8d3d681097fe54c3e3
SHA1 7e945f6999a9e5c1123a6ac0a9576f9813a47cc4
SHA256 f64f5835f163f095c92e80e6dc20f6e78451a2cc65a29dd34518f45da47abe14
SHA512 90bb9fc6452e3feeb15e46d1a59d46f636493667c9ee28f872b4ac6e8e8eda18316c5a515763041e23e5f3c7e1013504821ba66b06b778a0bf57f77b6da30be2

C:\Windows\system32\drivers\etc\hosts

MD5 a0534970b2b3965818e2cdd9898ede1c
SHA1 b7c22f95829d3bf2768c3c92a2b86ce1cc6ed754
SHA256 6cf843271c492a39fac331cca2fc3e60d7b8e33e3c842a6180635b8d5a5897a4
SHA512 1ff6d8bee72f154d74bd93baf101c76842301fc0ccd1a9704f9df04ec9beb33445e5f107b9c32dd9f52cc499db505d77e673375e240d1b326f656331cb49b7c7

C:\Windows\system32\drivers\etc\hosts

MD5 093977a1f7894a82ad3d17ce60ff3e89
SHA1 cb8910a84540b96ab0a8d6a60d0717c0e0044fa5
SHA256 99ec49931e8fe4a4fcd7da2b123ac62ed58dcad144c8f0d787f85b6f506f6088
SHA512 15da1774cbc81ae87ae9d0c9fd6838594be66b88aaa299bb8485b0f3abc3db6dc47f0c2253badaf3df4766bb3587d1284a6f2064307190dcdb28432a942b2e66

C:\Windows\system32\drivers\etc\hosts

MD5 0effcf49f5a58072bb6fdb5dcc55ee58
SHA1 ccc0349e35c09aab6626d45903e0b99eac276a97
SHA256 c18647f755213807681d1c21693bd6f6b14f77301d32bdc98b086c3aeca9fbd1
SHA512 4e3b5a80e348d50ee98add2699421bb396bb96871f98666356fb0efd631035ccefb108080093690afbe34818b39cee87f8c8b624db31dc0563440c908927237e

C:\Windows\system32\drivers\etc\hosts

MD5 5de2ffa56e1047af3128f467ca674d38
SHA1 c3df44c227455b53cee4616706b9308665fbe44a
SHA256 49421ec81d929f812914fb7ca140ff73ec7c7fb64c960e4d8421d91ae1c5a0db
SHA512 b05ebd3447168541adf1ece25355d6dd2ea1619fbd356d8becf7b0b3369ae0b9d2337e0aa1670165907c87358795f548a9925ddd3345d5dc83a603fc44d48436

C:\Windows\system32\drivers\etc\hosts

MD5 078c2158d9af642b385859eb0edf7ff2
SHA1 88bb624ffbca3365eb410ba74ba48e5ae9296b58
SHA256 cfa762ac708ac4256c61401493af5e7990869920c28e24ac0dab4c78a4b3ef0a
SHA512 1a6ce0691133e98eb5a427b30c04fe05be82fa3780effb018348d3060d5ec97498db6fcb18f7a96ef1f0f367c92d63d07a6be2b09b5a0dc1232b3faa28187d0f