bc41395bdf5ab2cf766aa20e660a78e179528f24a726c83e315c8e18fe04fa28

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-02-2023 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

banish.exe
Size

32KB
MD5

4a43ea617017d5de7d93eb2380634eee
SHA1

b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21
SHA256

dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549
SHA512

c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e
SSDEEP

384:uEXkzu37tf1A3aXFDy7ZdAhqegVBJi/N5ZV6EMRbQaWTjwiewhOY85RGy+fzzFtC:u+euRG38y78h8g6EMRb9WXwiel3Gyyt

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1660 takeown.exe
1712 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1660 takeown.exe
1712 icacls.exe

pid	process
1660	takeown.exe
1712	icacls.exe

pid	process
1660	takeown.exe
1712	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1404-57-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

banish.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 1620	1404	banish.exe	cmd.exe
PID 1404 wrote to memory of 1620	1404	banish.exe	cmd.exe
PID 1404 wrote to memory of 1620	1404	banish.exe	cmd.exe
PID 1404 wrote to memory of 1620	1404	banish.exe	cmd.exe
PID 1620 wrote to memory of 1660	1620	cmd.exe	takeown.exe
PID 1620 wrote to memory of 1660	1620	cmd.exe	takeown.exe
PID 1620 wrote to memory of 1660	1620	cmd.exe	takeown.exe
PID 1620 wrote to memory of 1660	1620	cmd.exe	takeown.exe
PID 1620 wrote to memory of 1712	1620	cmd.exe	icacls.exe
PID 1620 wrote to memory of 1712	1620	cmd.exe	icacls.exe
PID 1620 wrote to memory of 1712	1620	cmd.exe	icacls.exe
PID 1620 wrote to memory of 1712	1620	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\banish.exe
"C:\Users\Admin\AppData\Local\Temp\banish.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F ""
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\SysWOW64\icacls.exe
ICACLS "" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\banish.cmd
Filesize
760B

MD5
4f4199874adea9219f1e4ad27d97d9c4

SHA1
dc1dae4f4865f84e1d0f572cacd94f48b83fa289

SHA256
099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff

SHA512
c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017

Download Submit
memory/1404-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1404-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/1660-58-0x0000000000000000-mapping.dmp

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download