General
Target

92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe

Filesize

33KB

Completed

03-05-2022 15:01

Task

behavioral2

Score
8/10
MD5

640f2bf1f3445bef39e7d4372fd6c4e9

SHA1

166fb7a3e04df8da43294e03b60a429c6df7b184

SHA256

92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f

SHA256

ef6d4e77f57925ca30a4508f78cdbffdfccc84ec408cd4f825b43590506ac5594791ff8cfca140b97de0edcc38320908521ca691027fad1b797acb5aafa7b338

Malware Config
Signatures 3

Filter: none

Defense Evasion
  • Possible privilege escalation attempt
    takeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    4628takeown.exe
    4600icacls.exe
  • Modifies file permissions
    takeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    4628takeown.exe
    4600icacls.exe
  • Suspicious use of WriteProcessMemory
    92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1644 wrote to memory of 4700164492a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exe
    PID 1644 wrote to memory of 4700164492a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exe
    PID 1644 wrote to memory of 4700164492a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exe
    PID 4700 wrote to memory of 46284700cmd.exetakeown.exe
    PID 4700 wrote to memory of 46284700cmd.exetakeown.exe
    PID 4700 wrote to memory of 46284700cmd.exetakeown.exe
    PID 4700 wrote to memory of 46004700cmd.exeicacls.exe
    PID 4700 wrote to memory of 46004700cmd.exeicacls.exe
    PID 4700 wrote to memory of 46004700cmd.exeicacls.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe
    "C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe"
    Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""
      Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\takeown.exe
        TAKEOWN /F ""
        Possible privilege escalation attempt
        Modifies file permissions
        PID:4628
      • C:\Windows\SysWOW64\icacls.exe
        ICACLS "" /grant "Admin":F
        Possible privilege escalation attempt
        Modifies file permissions
        PID:4600
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\banish.cmd

                          MD5

                          4f4199874adea9219f1e4ad27d97d9c4

                          SHA1

                          dc1dae4f4865f84e1d0f572cacd94f48b83fa289

                          SHA256

                          099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff

                          SHA512

                          c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017

                        • memory/4600-133-0x0000000000000000-mapping.dmp

                        • memory/4628-132-0x0000000000000000-mapping.dmp

                        • memory/4700-130-0x0000000000000000-mapping.dmp