Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
main.ps1
Resource
win11-20240802-en
General
-
Target
main.ps1
-
Size
1KB
-
MD5
3192d090b51a7619bc9efba00478eb83
-
SHA1
cd449bd5957d6f51a4a05150b9ba732bbb38314f
-
SHA256
458d463a638840beb8ba3de4af72fa733373c004b83c32158277027b66dbeba4
-
SHA512
82d8859ffc18525bd80b5c0ec995b31886d3cba31f09f87aca8a986cb4f2f4683b876caedd2a2da133a657f2d7465a51c5cd31f75b6f668e92800efec78bdf37
Malware Config
Signatures
-
Possible privilege escalation attempt 16 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exepid Process 3624 takeown.exe 4320 takeown.exe 3080 icacls.exe 2456 takeown.exe 2076 icacls.exe 400 icacls.exe 956 icacls.exe 3228 icacls.exe 1464 takeown.exe 1468 icacls.exe 3416 takeown.exe 1012 takeown.exe 3868 takeown.exe 2756 takeown.exe 4056 icacls.exe 676 icacls.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exepid Process 3080 icacls.exe 2456 takeown.exe 3228 icacls.exe 2756 takeown.exe 3416 takeown.exe 400 icacls.exe 956 icacls.exe 1464 takeown.exe 676 icacls.exe 4056 icacls.exe 1468 icacls.exe 2076 icacls.exe 4320 takeown.exe 1012 takeown.exe 3868 takeown.exe 3624 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe File opened for modification C:\Windows\System32\control.exe powershell.exe File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
powershell.exepid Process 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe 720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 720 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 720 wrote to memory of 764 720 powershell.exe 78 PID 720 wrote to memory of 764 720 powershell.exe 78 PID 764 wrote to memory of 1012 764 cmd.exe 79 PID 764 wrote to memory of 1012 764 cmd.exe 79 PID 720 wrote to memory of 1116 720 powershell.exe 80 PID 720 wrote to memory of 1116 720 powershell.exe 80 PID 1116 wrote to memory of 400 1116 cmd.exe 81 PID 1116 wrote to memory of 400 1116 cmd.exe 81 PID 720 wrote to memory of 1952 720 powershell.exe 82 PID 720 wrote to memory of 1952 720 powershell.exe 82 PID 1952 wrote to memory of 3868 1952 cmd.exe 83 PID 1952 wrote to memory of 3868 1952 cmd.exe 83 PID 720 wrote to memory of 4884 720 powershell.exe 84 PID 720 wrote to memory of 4884 720 powershell.exe 84 PID 4884 wrote to memory of 956 4884 cmd.exe 85 PID 4884 wrote to memory of 956 4884 cmd.exe 85 PID 720 wrote to memory of 780 720 powershell.exe 86 PID 720 wrote to memory of 780 720 powershell.exe 86 PID 780 wrote to memory of 3624 780 cmd.exe 87 PID 780 wrote to memory of 3624 780 cmd.exe 87 PID 720 wrote to memory of 2528 720 powershell.exe 88 PID 720 wrote to memory of 2528 720 powershell.exe 88 PID 2528 wrote to memory of 3228 2528 cmd.exe 89 PID 2528 wrote to memory of 3228 2528 cmd.exe 89 PID 720 wrote to memory of 2716 720 powershell.exe 90 PID 720 wrote to memory of 2716 720 powershell.exe 90 PID 2716 wrote to memory of 2756 2716 cmd.exe 91 PID 2716 wrote to memory of 2756 2716 cmd.exe 91 PID 720 wrote to memory of 412 720 powershell.exe 92 PID 720 wrote to memory of 412 720 powershell.exe 92 PID 412 wrote to memory of 4056 412 cmd.exe 93 PID 412 wrote to memory of 4056 412 cmd.exe 93 PID 720 wrote to memory of 1556 720 powershell.exe 94 PID 720 wrote to memory of 1556 720 powershell.exe 94 PID 1556 wrote to memory of 1464 1556 cmd.exe 95 PID 1556 wrote to memory of 1464 1556 cmd.exe 95 PID 720 wrote to memory of 2752 720 powershell.exe 96 PID 720 wrote to memory of 2752 720 powershell.exe 96 PID 2752 wrote to memory of 1468 2752 cmd.exe 97 PID 2752 wrote to memory of 1468 2752 cmd.exe 97 PID 720 wrote to memory of 2912 720 powershell.exe 98 PID 720 wrote to memory of 2912 720 powershell.exe 98 PID 2912 wrote to memory of 4320 2912 cmd.exe 99 PID 2912 wrote to memory of 4320 2912 cmd.exe 99 PID 720 wrote to memory of 3016 720 powershell.exe 100 PID 720 wrote to memory of 3016 720 powershell.exe 100 PID 3016 wrote to memory of 2076 3016 cmd.exe 101 PID 3016 wrote to memory of 2076 3016 cmd.exe 101 PID 720 wrote to memory of 2840 720 powershell.exe 102 PID 720 wrote to memory of 2840 720 powershell.exe 102 PID 2840 wrote to memory of 3416 2840 cmd.exe 103 PID 2840 wrote to memory of 3416 2840 cmd.exe 103 PID 720 wrote to memory of 4304 720 powershell.exe 104 PID 720 wrote to memory of 4304 720 powershell.exe 104 PID 4304 wrote to memory of 3080 4304 cmd.exe 105 PID 4304 wrote to memory of 3080 4304 cmd.exe 105 PID 720 wrote to memory of 4300 720 powershell.exe 106 PID 720 wrote to memory of 4300 720 powershell.exe 106 PID 4300 wrote to memory of 2456 4300 cmd.exe 107 PID 4300 wrote to memory of 2456 4300 cmd.exe 107 PID 720 wrote to memory of 2552 720 powershell.exe 108 PID 720 wrote to memory of 2552 720 powershell.exe 108 PID 2552 wrote to memory of 676 2552 cmd.exe 109 PID 2552 wrote to memory of 676 2552 cmd.exe 109
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\explorer.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1012
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\explorer.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:400
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3868
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:956
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3624
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3228
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\regedit.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2756
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\regedit.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4056
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\notepad.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1464
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\notepad.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\control.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4320
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\control.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2076
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3416
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3080
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2456
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82