Analysis
-
max time kernel
132s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 08:59
Behavioral task
behavioral1
Sample
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe
Resource
win7-20240221-en
General
-
Target
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe
-
Size
32KB
-
MD5
4a43ea617017d5de7d93eb2380634eee
-
SHA1
b0af5aa27cd0e49955f1ab2d18d69f7bc8fd4d21
-
SHA256
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549
-
SHA512
c241538ccf8feeb115dec39fc5f668675769b2681d96d77bca1f5d826a4841ddbf8ed0f167bdee1ec70d623b7a6382c88a3aa3b85083898a71585ca47796852e
-
SSDEEP
384:uEXkzu37tf1A3aXFDy7ZdAhqegVBJi/N5ZV6EMRbQaWTjwiewhOY85RGy+fzzFtC:u+euRG38y78h8g6EMRb9WXwiel3Gyyt
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1248 takeown.exe 3188 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1248 takeown.exe 3188 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/3088-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/memory/3088-4-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.execmd.exedescription pid process target process PID 3088 wrote to memory of 540 3088 dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe cmd.exe PID 3088 wrote to memory of 540 3088 dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe cmd.exe PID 3088 wrote to memory of 540 3088 dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe cmd.exe PID 540 wrote to memory of 1248 540 cmd.exe takeown.exe PID 540 wrote to memory of 1248 540 cmd.exe takeown.exe PID 540 wrote to memory of 1248 540 cmd.exe takeown.exe PID 540 wrote to memory of 3188 540 cmd.exe icacls.exe PID 540 wrote to memory of 3188 540 cmd.exe icacls.exe PID 540 wrote to memory of 3188 540 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe"C:\Users\Admin\AppData\Local\Temp\dfa5b7bbc23df9a1402063551c44eede0c9445b930291027830b3af0fbe4a549.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\banish.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\takeown.exeTAKEOWN /F ""3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1248 -
C:\Windows\SysWOW64\icacls.exeICACLS "" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\banish.cmdFilesize
760B
MD54f4199874adea9219f1e4ad27d97d9c4
SHA1dc1dae4f4865f84e1d0f572cacd94f48b83fa289
SHA256099a497b7b971d87d0f8c17ce37d1c675e9d6d75d5c1e605c45d85e54c26a2ff
SHA512c703c4c89ec94d2578e2b96110724fb08e5289c7e0db51f47e4bfd6be14d684223e0dfc2dfe978aa56eb8037a4bea514464e582ac3363ed1f506cba1aeaf6017
-
memory/3088-0-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3088-4-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB