Analysis
-
max time kernel
3s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:19
Static task
static1
General
-
Target
main.ps1
-
Size
1KB
-
MD5
cc9f77cd4564117b8eadfb88d0cec5c6
-
SHA1
0802d1b393825b8136eb51ba09b9de376e8b65f6
-
SHA256
8f4a12b3f2d2669fc50c29397093ba9c0eb73ddf5ac386257f860c6df03738d2
-
SHA512
109727a730c956636e5a1ba28bb02d3e27a2e69a625dc378f40ab573bfcb6d7a6b87c9303f49cc2d9559b7cfd15038d55f191adf64d2ef4bd739dcb47ac7e6e1
Malware Config
Signatures
-
Possible privilege escalation attempt 18 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid Process 5500 icacls.exe 4632 takeown.exe 3668 icacls.exe 3664 icacls.exe 5536 takeown.exe 124 takeown.exe 2576 takeown.exe 4016 icacls.exe 2036 icacls.exe 2344 takeown.exe 5644 takeown.exe 2824 icacls.exe 4128 icacls.exe 4888 icacls.exe 2432 takeown.exe 3520 takeown.exe 4904 icacls.exe 6064 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid Process 5500 icacls.exe 2824 icacls.exe 2576 takeown.exe 5536 takeown.exe 6064 takeown.exe 124 takeown.exe 5644 takeown.exe 3668 icacls.exe 4016 icacls.exe 3664 icacls.exe 2432 takeown.exe 4904 icacls.exe 4888 icacls.exe 4632 takeown.exe 4128 icacls.exe 3520 takeown.exe 2036 icacls.exe 2344 takeown.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe File opened for modification C:\Windows\System32\control.exe powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid Process 1192 powershell.exe 1192 powershell.exe 1192 powershell.exe 1192 powershell.exe 1192 powershell.exe 1192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid Process Token: SeDebugPrivilege 1192 powershell.exe Token: SeTakeOwnershipPrivilege 6064 takeown.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
powershell.execmd.execmd.exedescription pid Process procid_target PID 1192 wrote to memory of 5184 1192 powershell.exe 81 PID 1192 wrote to memory of 5184 1192 powershell.exe 81 PID 5184 wrote to memory of 6064 5184 cmd.exe 82 PID 5184 wrote to memory of 6064 5184 cmd.exe 82 PID 1192 wrote to memory of 5440 1192 powershell.exe 83 PID 1192 wrote to memory of 5440 1192 powershell.exe 83 PID 5440 wrote to memory of 4888 5440 cmd.exe 84 PID 5440 wrote to memory of 4888 5440 cmd.exe 84 PID 1192 wrote to memory of 124 1192 powershell.exe 85 PID 1192 wrote to memory of 124 1192 powershell.exe 85 PID 1192 wrote to memory of 5500 1192 powershell.exe 86 PID 1192 wrote to memory of 5500 1192 powershell.exe 86 PID 1192 wrote to memory of 5644 1192 powershell.exe 87 PID 1192 wrote to memory of 5644 1192 powershell.exe 87 PID 1192 wrote to memory of 2824 1192 powershell.exe 88 PID 1192 wrote to memory of 2824 1192 powershell.exe 88 PID 1192 wrote to memory of 4632 1192 powershell.exe 89 PID 1192 wrote to memory of 4632 1192 powershell.exe 89 PID 1192 wrote to memory of 4128 1192 powershell.exe 90 PID 1192 wrote to memory of 4128 1192 powershell.exe 90 PID 1192 wrote to memory of 2576 1192 powershell.exe 91 PID 1192 wrote to memory of 2576 1192 powershell.exe 91 PID 1192 wrote to memory of 3668 1192 powershell.exe 92 PID 1192 wrote to memory of 3668 1192 powershell.exe 92 PID 1192 wrote to memory of 2432 1192 powershell.exe 93 PID 1192 wrote to memory of 2432 1192 powershell.exe 93 PID 1192 wrote to memory of 4016 1192 powershell.exe 94 PID 1192 wrote to memory of 4016 1192 powershell.exe 94 PID 1192 wrote to memory of 3520 1192 powershell.exe 95 PID 1192 wrote to memory of 3520 1192 powershell.exe 95 PID 1192 wrote to memory of 2036 1192 powershell.exe 96 PID 1192 wrote to memory of 2036 1192 powershell.exe 96 PID 1192 wrote to memory of 2344 1192 powershell.exe 97 PID 1192 wrote to memory of 2344 1192 powershell.exe 97 PID 1192 wrote to memory of 3664 1192 powershell.exe 98 PID 1192 wrote to memory of 3664 1192 powershell.exe 98 PID 1192 wrote to memory of 5536 1192 powershell.exe 99 PID 1192 wrote to memory of 5536 1192 powershell.exe 99 PID 1192 wrote to memory of 4904 1192 powershell.exe 100 PID 1192 wrote to memory of 4904 1192 powershell.exe 100
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F C:\Windows\System32\fr-FR\fms.dll.mui2⤵
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\fr-FR\fms.dll.mui3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6064
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888
-
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\explorer.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:124
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\explorer.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5500
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\taskmgr.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5644
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\taskmgr.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2824
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\cmd.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\cmd.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4128
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\regedit.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2576
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\regedit.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3668
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\notepad.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2432
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\notepad.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4016
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\control.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3520
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\control.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2036
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\msconfig.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2344
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\msconfig.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3664
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\regedt32.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5536
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\regedt32.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82