Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 12:27

General

  • Target

    main.ps1

  • Size

    1KB

  • MD5

    3192d090b51a7619bc9efba00478eb83

  • SHA1

    cd449bd5957d6f51a4a05150b9ba732bbb38314f

  • SHA256

    458d463a638840beb8ba3de4af72fa733373c004b83c32158277027b66dbeba4

  • SHA512

    82d8859ffc18525bd80b5c0ec995b31886d3cba31f09f87aca8a986cb4f2f4683b876caedd2a2da133a657f2d7465a51c5cd31f75b6f668e92800efec78bdf37

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
  • Modifies file permissions 1 TTPs 16 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps1
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\explorer.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1012
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\explorer.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:400
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3868
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:956
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3624
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3228
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\regedit.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2756
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\regedit.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4056
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\notepad.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1464
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\notepad.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1468
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4320
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2076
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3416
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4304
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3080
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2456
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcgueirg.sm0.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/720-0-0x00007FF9CFC13000-0x00007FF9CFC15000-memory.dmp

    Filesize

    8KB

  • memory/720-9-0x000001F4A6BF0000-0x000001F4A6C12000-memory.dmp

    Filesize

    136KB

  • memory/720-10-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB

  • memory/720-11-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB

  • memory/720-12-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB

  • memory/720-13-0x00007FF9CFC13000-0x00007FF9CFC15000-memory.dmp

    Filesize

    8KB

  • memory/720-14-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB

  • memory/720-15-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB

  • memory/720-16-0x00007FF9CFC10000-0x00007FF9D06D2000-memory.dmp

    Filesize

    10.8MB