Analysis

  • max time kernel
    91s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 12:34

General

  • Target

    main.ps1

  • Size

    1KB

  • MD5

    4cbcc9a505602f4c84ccbfc4d5b5ed36

  • SHA1

    2c5f04f3d01734967647e813528217df1d2a7438

  • SHA256

    aa31641aeef65f359ac55f3a96da0f482804e1c7f39307cd829f8b74696998e7

  • SHA512

    cec8053733ea34aca52614f5f686d99a70d8de6c4feaf54798145484f707da2c22629e5139c2277dae2a216536deb876918b3f624e4663922650eb611c4a7dd1

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
  • Modifies file permissions 1 TTPs 16 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps1
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4556
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\explorer.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4296
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\explorer.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:720
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4260
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1408
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4548
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3700
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\regedit.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2056
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\regedit.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1388
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\notepad.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2992
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\notepad.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1656
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\control.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1484
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\control.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1512
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:420
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1060
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3128
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzln3xf2.r44.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/4556-0-0x00007FFCED9D3000-0x00007FFCED9D5000-memory.dmp

    Filesize

    8KB

  • memory/4556-9-0x0000021250250000-0x0000021250272000-memory.dmp

    Filesize

    136KB

  • memory/4556-10-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB

  • memory/4556-11-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB

  • memory/4556-12-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB

  • memory/4556-13-0x00007FFCED9D3000-0x00007FFCED9D5000-memory.dmp

    Filesize

    8KB

  • memory/4556-14-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB

  • memory/4556-15-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB

  • memory/4556-16-0x00007FFCED9D0000-0x00007FFCEE492000-memory.dmp

    Filesize

    10.8MB