36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

Analysis

max time kernel
316s
max time network
317s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2612 takeown.exe
2552 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2612 takeown.exe
2552 icacls.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1744 powershell.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2620 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1744 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exetakeown.exe

description pid process

Token: SeDebugPrivilege 1744 powershell.exe
Token: SeTakeOwnershipPrivilege 2612 takeown.exe

pid	process
2612	takeown.exe
2552	icacls.exe

pid	process
2612	takeown.exe
2552	icacls.exe

pid	process
1744	powershell.exe

pid	process
2620	taskkill.exe

pid	process
1744	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	2612	takeown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1596 wrote to memory of 2612	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 2612	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 2612	1596	cmd.exe	takeown.exe
PID 1596 wrote to memory of 2552	1596	cmd.exe	icacls.exe
PID 1596 wrote to memory of 2552	1596	cmd.exe	icacls.exe
PID 1596 wrote to memory of 2552	1596	cmd.exe	icacls.exe
PID 1596 wrote to memory of 2620	1596	cmd.exe	taskkill.exe
PID 1596 wrote to memory of 2620	1596	cmd.exe	taskkill.exe
PID 1596 wrote to memory of 2620	1596	cmd.exe	taskkill.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\takeown.exe
takeown /f wininit.exe
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\icacls.exe
icacls wininit.exe /grant everyone:(f)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2552

C:\Windows\System32\taskkill.exe
taskkill wininit.exe
2⤵
- Kills process with taskkill
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-4-0x000007FEF645E000-0x000007FEF645F000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1744-6-0x0000000001C60000-0x0000000001C68000-memory.dmp

Filesize
32KB

Download
memory/1744-7-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-8-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-9-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-10-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-11-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/1744-12-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download