cacls[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cacls.exe
Size

32KB
MD5

7b353f98e18fd9bea92d4ca9aeeba9cc
SHA1

4861b3d04e2db776782736126e71e08f80bb6803
SHA256

c81018f19c8c104e568d5168c7ca7011faa9c7ba7310510b303e54a7fafce84c
SHA512

f0a3b6e6ea41fae0e506936b85b4c437425f73c8f0704dc4a289d0b77cdc7cd4804536807cf4ae534c713a21df1a2500ccd3c23bb6d284df62e21bb66ed807b3
SSDEEP

768:gczFYtcN4HFs+QJp5UWh2/w/FxP9HnCi20b0DhDqG1+i2K:hzmtlnQJbUW8w/FxP1nkPDqGf2K

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cacls.exe

Files

cacls.exe
.exe windows x64

8f09ca312abdfeb8b57ba1170c68e893

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
__setusermatherr
_cexit
_exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_callnewh
malloc
_wsetlocale
memcpy
__iob_func
free
printf
fgetws
wcschr
fprintf
_fmode
_vsnwprintf_s
_wcsicmp
vswprintf_s
wcscat_s
?terminate@@YAXXZ
_initterm
fwprintf_s
ferror
fwprintf
exit
wprintf
_wcsnicmp
wcscpy_s
_commode
memset

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtOpenFile
RtlNtStatusToDosError
RtlVirtualUnwind
NtQueryInformationFile
NtClose
RtlReleaseRelativeName
RtlDosPathNameToRelativeNtPathName_U
RtlFreeHeap

ntmarta

AccTreeResetNamedSecurityInfo

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupAccountSidW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError

api-ms-win-security-base-l1-1-0

InitializeAcl
GetLengthSid
GetSecurityDescriptorControl
GetKernelObjectSecurity
GetFileSecurityW
GetSecurityDescriptorDacl
AddAce
SetSecurityDescriptorDacl
QuerySecurityAccessMask
SetSecurityAccessMask
InitializeSecurityDescriptor
SetKernelObjectSecurity
EqualSid

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

GetFileAttributesW
GetFullPathNameW
GetVolumePathNameW
FindFirstFileW
FindClose
GetVolumeInformationW
FindNextFileW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
WriteConsoleW
GetConsoleMode

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle

api-ms-win-core-localization-l1-2-0

SetThreadUILanguage
FormatMessageW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW

api-ms-win-core-heap-l1-1-0

HeapSetInformation

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW

api-ms-win-security-provider-l1-1-0

SetNamedSecurityInfoW

Sections

.text
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8f09ca312abdfeb8b57ba1170c68e893

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

ntmarta

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-provider-l1-1-0

Sections

.text Size: 19KB - Virtual size: 18KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 720B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 84B

.text
Size: 19KB - Virtual size: 18KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 720B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 84B