92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f

Analysis

Target

92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe
Size

33KB
MD5

640f2bf1f3445bef39e7d4372fd6c4e9
SHA1

166fb7a3e04df8da43294e03b60a429c6df7b184
SHA256

92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f
SHA512

ef6d4e77f57925ca30a4508f78cdbffdfccc84ec408cd4f825b43590506ac5594791ff8cfca140b97de0edcc38320908521ca691027fad1b797acb5aafa7b338

Score

8^/10

discovery exploit

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4628 takeown.exe
4600 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4628 takeown.exe
4600 icacls.exe

pid	process
4628	takeown.exe
4600	icacls.exe

pid	process
4628	takeown.exe
4600	icacls.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.execmd.exe

description	pid	process	target process
PID 1644 wrote to memory of 4700	1644	92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe	cmd.exe
PID 1644 wrote to memory of 4700	1644	92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe	cmd.exe
PID 1644 wrote to memory of 4700	1644	92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe	cmd.exe
PID 4700 wrote to memory of 4628	4700	cmd.exe	takeown.exe
PID 4700 wrote to memory of 4628	4700	cmd.exe	takeown.exe
PID 4700 wrote to memory of 4628	4700	cmd.exe	takeown.exe
PID 4700 wrote to memory of 4600	4700	cmd.exe	icacls.exe
PID 4700 wrote to memory of 4600	4700	cmd.exe	icacls.exe
PID 4700 wrote to memory of 4600	4700	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe
"C:\Users\Admin\AppData\Local\Temp\92a606755b1b66738afa81ec24f6bd01a544b9b09b3e04c536ad14bde10dbb7f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\banish.cmd
Filesize
760B

MD5
4f4199874adea9219f1e4ad27d97d9c4

SHA1
dc1dae4f4865f84e1d0f572cacd94f48b83fa289

SHA256
099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff

SHA512
c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017

Download Submit
memory/4600-133-0x0000000000000000-mapping.dmp

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download
memory/4700-130-0x0000000000000000-mapping.dmp

Download