Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-02-2023 03:24
Behavioral task
behavioral1
Sample
banish.exe
Resource
win7-20220812-en
General
-
Target
banish.exe
-
Size
32KB
-
MD5
4a43ea617017d5de7d93eb2380634eee
-
SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21
-
SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549
-
SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e
-
SSDEEP
384:uEXkzu37tf1A3aXFDy7ZdAhqegVBJi/N5ZV6EMRbQaWTjwiewhOY85RGy+fzzFtC:u+euRG38y78h8g6EMRb9WXwiel3Gyyt
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 1712 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1660 takeown.exe 1712 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1404-57-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
banish.execmd.exedescription pid process target process PID 1404 wrote to memory of 1620 1404 banish.exe cmd.exe PID 1404 wrote to memory of 1620 1404 banish.exe cmd.exe PID 1404 wrote to memory of 1620 1404 banish.exe cmd.exe PID 1404 wrote to memory of 1620 1404 banish.exe cmd.exe PID 1620 wrote to memory of 1660 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 1660 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 1660 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 1660 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 1712 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1712 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1712 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1712 1620 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\banish.exe"C:\Users\Admin\AppData\Local\Temp\banish.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F ""3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeICACLS "" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banish.cmdFilesize
760B
MD54f4199874adea9219f1e4ad27d97d9c4
SHA1dc1dae4f4865f84e1d0f572cacd94f48b83fa289
SHA256099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff
SHA512c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017
-
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1404-57-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1620-55-0x0000000000000000-mapping.dmp
-
memory/1660-58-0x0000000000000000-mapping.dmp
-
memory/1712-59-0x0000000000000000-mapping.dmp