Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
main.ps1
Resource
win11-20240802-en
General
-
Target
main.ps1
-
Size
1KB
-
MD5
4cbcc9a505602f4c84ccbfc4d5b5ed36
-
SHA1
2c5f04f3d01734967647e813528217df1d2a7438
-
SHA256
aa31641aeef65f359ac55f3a96da0f482804e1c7f39307cd829f8b74696998e7
-
SHA512
cec8053733ea34aca52614f5f686d99a70d8de6c4feaf54798145484f707da2c22629e5139c2277dae2a216536deb876918b3f624e4663922650eb611c4a7dd1
Malware Config
Signatures
-
Possible privilege escalation attempt 16 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid Process 2992 takeown.exe 1656 icacls.exe 1408 icacls.exe 1484 takeown.exe 1388 icacls.exe 1060 icacls.exe 896 icacls.exe 720 icacls.exe 4260 takeown.exe 4548 takeown.exe 3700 icacls.exe 3128 takeown.exe 4296 takeown.exe 2056 takeown.exe 1512 icacls.exe 420 takeown.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid Process 2992 takeown.exe 1656 icacls.exe 4260 takeown.exe 1408 icacls.exe 1484 takeown.exe 1060 icacls.exe 1512 icacls.exe 420 takeown.exe 3128 takeown.exe 896 icacls.exe 4296 takeown.exe 720 icacls.exe 4548 takeown.exe 3700 icacls.exe 2056 takeown.exe 1388 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 5 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\System32\msconfig.exe powershell.exe File opened for modification C:\Windows\System32\regedt32.exe powershell.exe File opened for modification C:\Windows\System32\taskmgr.exe powershell.exe File opened for modification C:\Windows\System32\cmd.exe powershell.exe File opened for modification C:\Windows\System32\control.exe powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc Process File opened for modification C:\Windows\explorer.exe powershell.exe File opened for modification C:\Windows\regedit.exe powershell.exe File opened for modification C:\Windows\notepad.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
powershell.exepid Process 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe 4556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 4556 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 4556 wrote to memory of 4948 4556 powershell.exe 80 PID 4556 wrote to memory of 4948 4556 powershell.exe 80 PID 4948 wrote to memory of 4296 4948 cmd.exe 81 PID 4948 wrote to memory of 4296 4948 cmd.exe 81 PID 4556 wrote to memory of 2316 4556 powershell.exe 82 PID 4556 wrote to memory of 2316 4556 powershell.exe 82 PID 2316 wrote to memory of 720 2316 cmd.exe 83 PID 2316 wrote to memory of 720 2316 cmd.exe 83 PID 4556 wrote to memory of 1444 4556 powershell.exe 84 PID 4556 wrote to memory of 1444 4556 powershell.exe 84 PID 1444 wrote to memory of 4260 1444 cmd.exe 85 PID 1444 wrote to memory of 4260 1444 cmd.exe 85 PID 4556 wrote to memory of 3328 4556 powershell.exe 86 PID 4556 wrote to memory of 3328 4556 powershell.exe 86 PID 3328 wrote to memory of 1408 3328 cmd.exe 87 PID 3328 wrote to memory of 1408 3328 cmd.exe 87 PID 4556 wrote to memory of 2880 4556 powershell.exe 88 PID 4556 wrote to memory of 2880 4556 powershell.exe 88 PID 2880 wrote to memory of 4548 2880 cmd.exe 89 PID 2880 wrote to memory of 4548 2880 cmd.exe 89 PID 4556 wrote to memory of 4744 4556 powershell.exe 90 PID 4556 wrote to memory of 4744 4556 powershell.exe 90 PID 4744 wrote to memory of 3700 4744 cmd.exe 91 PID 4744 wrote to memory of 3700 4744 cmd.exe 91 PID 4556 wrote to memory of 4572 4556 powershell.exe 92 PID 4556 wrote to memory of 4572 4556 powershell.exe 92 PID 4572 wrote to memory of 2056 4572 cmd.exe 93 PID 4572 wrote to memory of 2056 4572 cmd.exe 93 PID 4556 wrote to memory of 1452 4556 powershell.exe 94 PID 4556 wrote to memory of 1452 4556 powershell.exe 94 PID 1452 wrote to memory of 1388 1452 cmd.exe 95 PID 1452 wrote to memory of 1388 1452 cmd.exe 95 PID 4556 wrote to memory of 1476 4556 powershell.exe 96 PID 4556 wrote to memory of 1476 4556 powershell.exe 96 PID 1476 wrote to memory of 2992 1476 cmd.exe 97 PID 1476 wrote to memory of 2992 1476 cmd.exe 97 PID 4556 wrote to memory of 4968 4556 powershell.exe 98 PID 4556 wrote to memory of 4968 4556 powershell.exe 98 PID 4968 wrote to memory of 1656 4968 cmd.exe 99 PID 4968 wrote to memory of 1656 4968 cmd.exe 99 PID 4556 wrote to memory of 3680 4556 powershell.exe 100 PID 4556 wrote to memory of 3680 4556 powershell.exe 100 PID 3680 wrote to memory of 1484 3680 cmd.exe 101 PID 3680 wrote to memory of 1484 3680 cmd.exe 101 PID 4556 wrote to memory of 4568 4556 powershell.exe 102 PID 4556 wrote to memory of 4568 4556 powershell.exe 102 PID 4568 wrote to memory of 1512 4568 cmd.exe 103 PID 4568 wrote to memory of 1512 4568 cmd.exe 103 PID 4556 wrote to memory of 2812 4556 powershell.exe 104 PID 4556 wrote to memory of 2812 4556 powershell.exe 104 PID 2812 wrote to memory of 420 2812 cmd.exe 105 PID 2812 wrote to memory of 420 2812 cmd.exe 105 PID 4556 wrote to memory of 2436 4556 powershell.exe 106 PID 4556 wrote to memory of 2436 4556 powershell.exe 106 PID 2436 wrote to memory of 1060 2436 cmd.exe 107 PID 2436 wrote to memory of 1060 2436 cmd.exe 107 PID 4556 wrote to memory of 1616 4556 powershell.exe 108 PID 4556 wrote to memory of 1616 4556 powershell.exe 108 PID 1616 wrote to memory of 3128 1616 cmd.exe 109 PID 1616 wrote to memory of 3128 1616 cmd.exe 109 PID 4556 wrote to memory of 1960 4556 powershell.exe 110 PID 4556 wrote to memory of 1960 4556 powershell.exe 110 PID 1960 wrote to memory of 896 1960 cmd.exe 111 PID 1960 wrote to memory of 896 1960 cmd.exe 111
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\main.ps11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\explorer.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\explorer.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4296
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\explorer.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\explorer.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:720
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\taskmgr.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskmgr.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1408
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\cmd.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4548
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\cmd.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3700
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\regedit.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\regedit.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2056
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\regedit.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\regedit.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1388
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\notepad.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\notepad.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2992
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\notepad.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\notepad.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1656
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\control.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\control.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\control.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\control.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\msconfig.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:420
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\msconfig.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c takeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\regedt32.exe" /A /R /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3128
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c icacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\regedt32.exe" /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82