Analysis
-
max time kernel
106s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-05-2022 14:55
Static task
static1
Behavioral task
behavioral1
Sample
92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe
Resource
win7-20220414-en
General
-
Target
92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe
-
Size
33KB
-
MD5
640f2bf1f3445bef39e7d4372fd6c4e9
-
SHA1
166fb7a3e04df8da43294e03b60a429c6df7b184
-
SHA256
92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f
-
SHA512
ef6d4e77f57925ca30a4508f78cdbffdfccc84ec408cd4f825b43590506ac5594791ff8cfca140b97de0edcc38320908521ca691027fad1b797acb5aafa7b338
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4628 takeown.exe 4600 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4628 takeown.exe 4600 icacls.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exedescription pid process target process PID 1644 wrote to memory of 4700 1644 92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe cmd.exe PID 1644 wrote to memory of 4700 1644 92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe cmd.exe PID 1644 wrote to memory of 4700 1644 92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe cmd.exe PID 4700 wrote to memory of 4628 4700 cmd.exe takeown.exe PID 4700 wrote to memory of 4628 4700 cmd.exe takeown.exe PID 4700 wrote to memory of 4628 4700 cmd.exe takeown.exe PID 4700 wrote to memory of 4600 4700 cmd.exe icacls.exe PID 4700 wrote to memory of 4600 4700 cmd.exe icacls.exe PID 4700 wrote to memory of 4600 4700 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe"C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F ""3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banish.cmdFilesize
760B
MD54f4199874adea9219f1e4ad27d97d9c4
SHA1dc1dae4f4865f84e1d0f572cacd94f48b83fa289
SHA256099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff
SHA512c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017
-
memory/4600-133-0x0000000000000000-mapping.dmp
-
memory/4628-132-0x0000000000000000-mapping.dmp
-
memory/4700-130-0x0000000000000000-mapping.dmp