Analysis
-
max time kernel
1s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-03-2023 20:45
Static task
static1
Behavioral task
behavioral1
Sample
cmd.bat.ps1
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
cmd.bat.ps1
-
Size
86B
-
MD5
f1c4769cc00061e40db7079ed27ff5c5
-
SHA1
1930a2b913a10973e1daf0bf045f051516336df4
-
SHA256
ed0494f83716766320067c65c2ef602086f36d540a97facf3bf9d55b894dde36
-
SHA512
05a69396ea22a62047d4642fa237ace68b7b01e167e6b014b9a1783aecdf01ede5321d92866e7c73c4908f7fc5d2d96b060c86aa5374da972f3cddca38c373b6
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 444 takeown.exe 1760 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 444 takeown.exe 1760 icacls.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 904 powershell.exe Token: SeTakeOwnershipPrivilege 444 takeown.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 904 wrote to memory of 444 904 powershell.exe takeown.exe PID 904 wrote to memory of 444 904 powershell.exe takeown.exe PID 904 wrote to memory of 444 904 powershell.exe takeown.exe PID 904 wrote to memory of 1760 904 powershell.exe icacls.exe PID 904 wrote to memory of 1760 904 powershell.exe icacls.exe PID 904 wrote to memory of 1760 904 powershell.exe icacls.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cmd.bat.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/904-58-0x000000001B2A0000-0x000000001B582000-memory.dmpFilesize
2.9MB
-
memory/904-59-0x00000000024A0000-0x00000000024A8000-memory.dmpFilesize
32KB
-
memory/904-61-0x000000000283B000-0x0000000002872000-memory.dmpFilesize
220KB
-
memory/904-60-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB