Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:22
Static task
static1
General
-
Target
main.ps1
-
Size
1KB
-
MD5
b5515a7642b1c5853e8771e1571720a8
-
SHA1
43498ba7615cb2ec69e64d5751f5a8197951d0b1
-
SHA256
075da88f8a2508f9d1b63d8a1c244731d6314e50298104f27f6228b9dd20fa45
-
SHA512
1110c1ac7b202d1e1bc29f0e753a0d68d40509e5e2f0cce3062ce7e6f2d315d895cf2b0550c7d7e5b0fd946cb678276985eed2ee425a2d42dac7c2e2b855f51e
Malware Config
Signatures
-
Possible privilege escalation attempt 18 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid Process 2500 icacls.exe 4040 takeown.exe 576 icacls.exe 2536 icacls.exe 4296 icacls.exe 1224 takeown.exe 1512 icacls.exe 2804 takeown.exe 4432 icacls.exe 4764 takeown.exe 4640 takeown.exe 632 takeown.exe 3464 takeown.exe 1504 icacls.exe 1508 icacls.exe 4860 takeown.exe 4424 icacls.exe 3932 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exepid Process 2536 icacls.exe 3464 takeown.exe 4040 takeown.exe 4424 icacls.exe 4640 takeown.exe 2804 takeown.exe 4296 icacls.exe 1224 takeown.exe 1512 icacls.exe 4860 takeown.exe 4432 icacls.exe 4764 takeown.exe 2500 icacls.exe 1504 icacls.exe 1508 icacls.exe 576 icacls.exe 632 takeown.exe 3932 takeown.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe File opened for modification C:\Windows\System32\control.exe powershell.exe File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid Process 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exetakeown.exedescription pid Process Token: SeDebugPrivilege 2544 powershell.exe Token: SeTakeOwnershipPrivilege 4860 takeown.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
powershell.execmd.execmd.exedescription pid Process procid_target PID 2544 wrote to memory of 1340 2544 powershell.exe 79 PID 2544 wrote to memory of 1340 2544 powershell.exe 79 PID 1340 wrote to memory of 4860 1340 cmd.exe 80 PID 1340 wrote to memory of 4860 1340 cmd.exe 80 PID 2544 wrote to memory of 2156 2544 powershell.exe 81 PID 2544 wrote to memory of 2156 2544 powershell.exe 81 PID 2156 wrote to memory of 4432 2156 cmd.exe 82 PID 2156 wrote to memory of 4432 2156 cmd.exe 82 PID 2544 wrote to memory of 4040 2544 powershell.exe 83 PID 2544 wrote to memory of 4040 2544 powershell.exe 83 PID 2544 wrote to memory of 4424 2544 powershell.exe 84 PID 2544 wrote to memory of 4424 2544 powershell.exe 84 PID 2544 wrote to memory of 4764 2544 powershell.exe 85 PID 2544 wrote to memory of 4764 2544 powershell.exe 85 PID 2544 wrote to memory of 576 2544 powershell.exe 86 PID 2544 wrote to memory of 576 2544 powershell.exe 86 PID 2544 wrote to memory of 4640 2544 powershell.exe 87 PID 2544 wrote to memory of 4640 2544 powershell.exe 87 PID 2544 wrote to memory of 4296 2544 powershell.exe 88 PID 2544 wrote to memory of 4296 2544 powershell.exe 88 PID 2544 wrote to memory of 1224 2544 powershell.exe 89 PID 2544 wrote to memory of 1224 2544 powershell.exe 89 PID 2544 wrote to memory of 1512 2544 powershell.exe 90 PID 2544 wrote to memory of 1512 2544 powershell.exe 90 PID 2544 wrote to memory of 632 2544 powershell.exe 91 PID 2544 wrote to memory of 632 2544 powershell.exe 91 PID 2544 wrote to memory of 2536 2544 powershell.exe 92 PID 2544 wrote to memory of 2536 2544 powershell.exe 92 PID 2544 wrote to memory of 3932 2544 powershell.exe 93 PID 2544 wrote to memory of 3932 2544 powershell.exe 93 PID 2544 wrote to memory of 2500 2544 powershell.exe 94 PID 2544 wrote to memory of 2500 2544 powershell.exe 94 PID 2544 wrote to memory of 3464 2544 powershell.exe 95 PID 2544 wrote to memory of 3464 2544 powershell.exe 95 PID 2544 wrote to memory of 1504 2544 powershell.exe 96 PID 2544 wrote to memory of 1504 2544 powershell.exe 96 PID 2544 wrote to memory of 2804 2544 powershell.exe 97 PID 2544 wrote to memory of 2804 2544 powershell.exe 97 PID 2544 wrote to memory of 1508 2544 powershell.exe 98 PID 2544 wrote to memory of 1508 2544 powershell.exe 98
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F C:\Windows\System32\fr-FR\fms.dll.mui2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\fr-FR\fms.dll.mui3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\fr-FR\fms.dll.mui /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4432
-
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\explorer.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4040
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\explorer.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\taskmgr.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4764
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\taskmgr.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:576
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\cmd.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4640
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\cmd.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4296
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\regedit.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1224
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\regedit.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\notepad.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:632
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\notepad.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2536
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\control.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3932
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\control.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2500
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\msconfig.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3464
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\msconfig.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504
-
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /f C:\Windows\System32\regedt32.exe /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2804
-
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" C:\Windows\System32\regedt32.exe /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3056
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
- Modifies registry class
PID:608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82