36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trigger.ps1
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

7^/10

discovery execution

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

4728 takeown.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1328 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1328 powershell.exe
1328 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetakeown.exe

description pid process

Token: SeDebugPrivilege 1328 powershell.exe
Token: SeTakeOwnershipPrivilege 4728 takeown.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 4536 wrote to memory of 4728 4536 cmd.exe takeown.exe
PID 4536 wrote to memory of 4728 4536 cmd.exe takeown.exe

pid	process
4728	takeown.exe

pid	process
1328	powershell.exe

pid	process
1328	powershell.exe
1328	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeTakeOwnershipPrivilege	4728	takeown.exe

description	pid	process	target process
PID 4536 wrote to memory of 4728	4536	cmd.exe	takeown.exe
PID 4536 wrote to memory of 4728	4536	cmd.exe	takeown.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\wininit.exe
"C:\Windows\System32\wininit.exe"
1⤵
PID:4108

C:\Windows\System32\wininit.exe
"C:\Windows\System32\wininit.exe"
1⤵
PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\System32\takeown.exe
takeown /f wininit.exe
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbitxpu0.mlv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1328-0-0x00007FFF6DB63000-0x00007FFF6DB65000-memory.dmp

Filesize
8KB

Download
memory/1328-6-0x0000021E77450000-0x0000021E77472000-memory.dmp

Filesize
136KB

Download
memory/1328-11-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/1328-14-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download
memory/1328-15-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

Filesize
10.8MB

Download