Analysis
-
max time kernel
42s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:15
Static task
static1
General
-
Target
main.ps1
-
Size
1KB
-
MD5
cc9f77cd4564117b8eadfb88d0cec5c6
-
SHA1
0802d1b393825b8136eb51ba09b9de376e8b65f6
-
SHA256
8f4a12b3f2d2669fc50c29397093ba9c0eb73ddf5ac386257f860c6df03738d2
-
SHA512
109727a730c956636e5a1ba28bb02d3e27a2e69a625dc378f40ab573bfcb6d7a6b87c9303f49cc2d9559b7cfd15038d55f191adf64d2ef4bd739dcb47ac7e6e1
Malware Config
Signatures
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid Process 4708 takeown.exe 2620 icacls.exe 4676 takeown.exe 4632 icacls.exe 688 icacls.exe 4644 takeown.exe 3492 takeown.exe 1372 takeown.exe 4204 takeown.exe 3804 icacls.exe 2508 takeown.exe 4704 icacls.exe 3140 icacls.exe 4888 takeown.exe 4316 takeown.exe 4700 icacls.exe 4768 icacls.exe 4420 icacls.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid Process 4316 takeown.exe 4708 takeown.exe 688 icacls.exe 3492 takeown.exe 4420 icacls.exe 1372 takeown.exe 3140 icacls.exe 4204 takeown.exe 4632 icacls.exe 4644 takeown.exe 2508 takeown.exe 4676 takeown.exe 3804 icacls.exe 4704 icacls.exe 4700 icacls.exe 4768 icacls.exe 2620 icacls.exe 4888 takeown.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe File opened for modification C:\Windows\System32\control.exe powershell.exe File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid Process 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe 3604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid Process Token: SeDebugPrivilege 3604 powershell.exe Token: SeTakeOwnershipPrivilege 4204 takeown.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
powershell.execmd.execmd.exedescription pid Process procid_target PID 3604 wrote to memory of 4328 3604 powershell.exe 79 PID 3604 wrote to memory of 4328 3604 powershell.exe 79 PID 4328 wrote to memory of 4204 4328 cmd.exe 80 PID 4328 wrote to memory of 4204 4328 cmd.exe 80 PID 3604 wrote to memory of 4256 3604 powershell.exe 81 PID 3604 wrote to memory of 4256 3604 powershell.exe 81 PID 4256 wrote to memory of 2620 4256 cmd.exe 82 PID 4256 wrote to memory of 2620 4256 cmd.exe 82 PID 3604 wrote to memory of 4888 3604 powershell.exe 83 PID 3604 wrote to memory of 4888 3604 powershell.exe 83 PID 3604 wrote to memory of 3804 3604 powershell.exe 84 PID 3604 wrote to memory of 3804 3604 powershell.exe 84 PID 3604 wrote to memory of 2508 3604 powershell.exe 85 PID 3604 wrote to memory of 2508 3604 powershell.exe 85 PID 3604 wrote to memory of 4704 3604 powershell.exe 86 PID 3604 wrote to memory of 4704 3604 powershell.exe 86 PID 3604 wrote to memory of 4676 3604 powershell.exe 87 PID 3604 wrote to memory of 4676 3604 powershell.exe 87 PID 3604 wrote to memory of 4632 3604 powershell.exe 88 PID 3604 wrote to memory of 4632 3604 powershell.exe 88 PID 3604 wrote to memory of 4316 3604 powershell.exe 89 PID 3604 wrote to memory of 4316 3604 powershell.exe 89 PID 3604 wrote to memory of 688 3604 powershell.exe 90 PID 3604 wrote to memory of 688 3604 powershell.exe 90 PID 3604 wrote to memory of 4644 3604 powershell.exe 91 PID 3604 wrote to memory of 4644 3604 powershell.exe 91 PID 3604 wrote to memory of 4700 3604 powershell.exe 92 PID 3604 wrote to memory of 4700 3604 powershell.exe 92 PID 3604 wrote to memory of 3492 3604 powershell.exe 93 PID 3604 wrote to memory of 3492 3604 powershell.exe 93 PID 3604 wrote to memory of 4768 3604 powershell.exe 94 PID 3604 wrote to memory of 4768 3604 powershell.exe 94 PID 3604 wrote to memory of 4708 3604 powershell.exe 95 PID 3604 wrote to memory of 4708 3604 powershell.exe 95 PID 3604 wrote to memory of 4420 3604 powershell.exe 96 PID 3604 wrote to memory of 4420 3604 powershell.exe 96 PID 3604 wrote to memory of 1372 3604 powershell.exe 97 PID 3604 wrote to memory of 1372 3604 powershell.exe 97 PID 3604 wrote to memory of 3140 3604 powershell.exe 98 PID 3604 wrote to memory of 3140 3604 powershell.exe 98
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F C:\Windows\System32\fr-FR\fms.dll.mui2⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\fr-FR\fms.dll.mui3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2620
-
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\explorer.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\explorer.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3804
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\taskmgr.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2508
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\taskmgr.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4704
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\cmd.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4676
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\cmd.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\regedit.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4316
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\regedit.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\notepad.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4644
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\notepad.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4700
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\control.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3492
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\control.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4768
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\msconfig.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4708
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\msconfig.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4420
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\regedt32.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1372
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\regedt32.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3140
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82