Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 08:18
Behavioral task
behavioral1
Sample
banish.exe
Resource
win7-20240221-en
General
-
Target
banish.exe
-
Size
32KB
-
MD5
4a43ea617017d5de7d93eb2380634eee
-
SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21
-
SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549
-
SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e
-
SSDEEP
384:uEXkzu37tf1A3aXFDy7ZdAhqegVBJi/N5ZV6EMRbQaWTjwiewhOY85RGy+fzzFtC:u+euRG38y78h8g6EMRb9WXwiel3Gyyt
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2520 takeown.exe 2584 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2520 takeown.exe 2584 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/2340-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2340-9-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
banish.execmd.exedescription pid process target process PID 2340 wrote to memory of 2500 2340 banish.exe cmd.exe PID 2340 wrote to memory of 2500 2340 banish.exe cmd.exe PID 2340 wrote to memory of 2500 2340 banish.exe cmd.exe PID 2340 wrote to memory of 2500 2340 banish.exe cmd.exe PID 2500 wrote to memory of 2520 2500 cmd.exe takeown.exe PID 2500 wrote to memory of 2520 2500 cmd.exe takeown.exe PID 2500 wrote to memory of 2520 2500 cmd.exe takeown.exe PID 2500 wrote to memory of 2520 2500 cmd.exe takeown.exe PID 2500 wrote to memory of 2584 2500 cmd.exe icacls.exe PID 2500 wrote to memory of 2584 2500 cmd.exe icacls.exe PID 2500 wrote to memory of 2584 2500 cmd.exe icacls.exe PID 2500 wrote to memory of 2584 2500 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\banish.exe"C:\Users\Admin\AppData\Local\Temp\banish.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F ""3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2520 -
C:\Windows\SysWOW64\icacls.exeICACLS "" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banish.cmdFilesize
760B
MD54f4199874adea9219f1e4ad27d97d9c4
SHA1dc1dae4f4865f84e1d0f572cacd94f48b83fa289
SHA256099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff
SHA512c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017
-
memory/2340-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2340-9-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB