Analysis Overview
SHA256
f7d87d0a3977d9ed4ed6eaa2da2fe2aea9564f58cf062f828dec0aa21d9ec11e
Threat Level: Likely malicious
The file BlockerKeyVerificator_RunAsAdministrator.cmd was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Possible privilege escalation attempt
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Access Token Manipulation: Create Process with Token
Views/modifies file attributes
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 13:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 13:46
Reported
2024-10-15 13:49
Platform
win10-20240404-en
Max time kernel
74s
Max time network
76s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\system32\attrib.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Access Token Manipulation: Create Process with Token
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockerKeyVerificator_RunAsAdministrator.cmd"
C:\Windows\system32\fltMC.exe
fltmc
C:\Windows\system32\timeout.exe
timeout -1
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts" /a
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant administrators:F
C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\System32\drivers\etc\hosts"
C:\Windows\system32\find.exe
FIND /C /I "# Piriform Blocker Key Verificator" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "license.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "www.license.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "www.speccy.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "www.recuva.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "www.defraggler.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "www.ccleaner.piriform.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\find.exe
FIND /C /I "license-api.ccleaner.com" C:\Windows\system32\drivers\etc\hosts
C:\Windows\system32\attrib.exe
attrib +h +r +s "C:\Windows\system32\drivers\etc\hosts"
C:\Windows\system32\timeout.exe
timeout -1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\system32\drivers\etc\hosts
| MD5 | 18a28ef3d5f8abf84e80e11a8188c554 |
| SHA1 | fa6520361625a5602dc327835281aa0a665542cd |
| SHA256 | 5a7294df817264ceec493cf27713c6e68cfa93e8279bc46c853fcedc8a84104c |
| SHA512 | 457244339de779d6e795978d94520a1e29743519e833e1fef57a9623bfb0511e7fdbdc8af583ecda0dfc5f3dbc19af64e5223a1a25ecd919f36c263f391cec80 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 0a6dde25a2b7f016d92e1b738f2046e0 |
| SHA1 | c20d58d5636ed663edfd59c39e42384747eed1d3 |
| SHA256 | 093a14e36a56d11972fc81415cf3a8d7e40df92e7866d29be84528d63b1d2a29 |
| SHA512 | ec2e91a9246fb479813d1cfb90bc74927bdd292e1cefeb079b34e4ad3e3339825204cca60e28b9859cf6f5101aa4fe8edb9a8f6a775df564fd81db9de7f2c9f7 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 521cf03faee2d9dd30098ffeaa5605af |
| SHA1 | ebc4bbe3382f479cdcbe361d114d7b409e880867 |
| SHA256 | 6139756bfc8cba29d812a49fea97790734579c427dae38d749aebb9da8daec5f |
| SHA512 | a77bf0a19c6ca945ca2428662727b0d10b7dd5b1cdfefbb621e2543dd46cf9752deda66dd06c93a34a927faf9f2fdd5a367189b56bb12bc652d0e291a975dd9a |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 01f8e7708bcc7706bb46c83d26972655 |
| SHA1 | 16cfd8ee31d81c7bad898cea0e4c4d0749a09297 |
| SHA256 | e4df9045dd3340cd022851bda62a8673ac52172700c97e305ba4f70c7d537ef6 |
| SHA512 | ae5d1f5e34251bc69bf959eb3d939080d7dc1515571d614553b4d78b73aabc6fe92daab46055284cb10a34cc4830d6b3960e416b044452e777e06098fd118192 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | eb3b15744154bb668fbf6a6e0380fa94 |
| SHA1 | 5aad6232be97f71e6e83cb0635d63c0b417bd82f |
| SHA256 | 7ff73df942171101cf67ef53ce36eb5043eaaf11b777b5b90f4ba33fbf8b554f |
| SHA512 | b16575488021c14976f08ec249a9d87979a36b13afe5b2380359c3bf82ba2c6db5adf29e2f7254f5cd5283b5b650a454e46dc61e62e7507f10c56679cb62834a |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4394ced870a0ce75fc9533b00e8505d4 |
| SHA1 | 1f6b40361c1218277bb0803c11ca411945f45e52 |
| SHA256 | c69b6ffc56f3b2638fd40f42621fda3d01e991446fc7e83863385e2cbf3ad154 |
| SHA512 | 6105fd1cba3fff22bcec34ccd10130d2c494cdbc3fb151284b8eb42f165fbf1dbe8f81ef5e65c160f0e7430b1b828a4cdc5e7135c2373baf248f7325a7dd286a |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 13762c1edd84ec8d3d681097fe54c3e3 |
| SHA1 | 7e945f6999a9e5c1123a6ac0a9576f9813a47cc4 |
| SHA256 | f64f5835f163f095c92e80e6dc20f6e78451a2cc65a29dd34518f45da47abe14 |
| SHA512 | 90bb9fc6452e3feeb15e46d1a59d46f636493667c9ee28f872b4ac6e8e8eda18316c5a515763041e23e5f3c7e1013504821ba66b06b778a0bf57f77b6da30be2 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | a0534970b2b3965818e2cdd9898ede1c |
| SHA1 | b7c22f95829d3bf2768c3c92a2b86ce1cc6ed754 |
| SHA256 | 6cf843271c492a39fac331cca2fc3e60d7b8e33e3c842a6180635b8d5a5897a4 |
| SHA512 | 1ff6d8bee72f154d74bd93baf101c76842301fc0ccd1a9704f9df04ec9beb33445e5f107b9c32dd9f52cc499db505d77e673375e240d1b326f656331cb49b7c7 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 093977a1f7894a82ad3d17ce60ff3e89 |
| SHA1 | cb8910a84540b96ab0a8d6a60d0717c0e0044fa5 |
| SHA256 | 99ec49931e8fe4a4fcd7da2b123ac62ed58dcad144c8f0d787f85b6f506f6088 |
| SHA512 | 15da1774cbc81ae87ae9d0c9fd6838594be66b88aaa299bb8485b0f3abc3db6dc47f0c2253badaf3df4766bb3587d1284a6f2064307190dcdb28432a942b2e66 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 0effcf49f5a58072bb6fdb5dcc55ee58 |
| SHA1 | ccc0349e35c09aab6626d45903e0b99eac276a97 |
| SHA256 | c18647f755213807681d1c21693bd6f6b14f77301d32bdc98b086c3aeca9fbd1 |
| SHA512 | 4e3b5a80e348d50ee98add2699421bb396bb96871f98666356fb0efd631035ccefb108080093690afbe34818b39cee87f8c8b624db31dc0563440c908927237e |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 5de2ffa56e1047af3128f467ca674d38 |
| SHA1 | c3df44c227455b53cee4616706b9308665fbe44a |
| SHA256 | 49421ec81d929f812914fb7ca140ff73ec7c7fb64c960e4d8421d91ae1c5a0db |
| SHA512 | b05ebd3447168541adf1ece25355d6dd2ea1619fbd356d8becf7b0b3369ae0b9d2337e0aa1670165907c87358795f548a9925ddd3345d5dc83a603fc44d48436 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 078c2158d9af642b385859eb0edf7ff2 |
| SHA1 | 88bb624ffbca3365eb410ba74ba48e5ae9296b58 |
| SHA256 | cfa762ac708ac4256c61401493af5e7990869920c28e24ac0dab4c78a4b3ef0a |
| SHA512 | 1a6ce0691133e98eb5a427b30c04fe05be82fa3780effb018348d3060d5ec97498db6fcb18f7a96ef1f0f367c92d63d07a6be2b09b5a0dc1232b3faa28187d0f |