Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
blocknotif.bat
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
General
-
Target
blocknotif.bat
-
Size
555B
-
MD5
e465a93972419acd0848792edd02f94b
-
SHA1
b54bcb4eed2495239528a73275b3652e8ae66e0f
-
SHA256
a5718ae60be15412ad457aad7c602c6b43c40c18bb3ffd9eec26ac20de746620
-
SHA512
6dca9b63c372add7b335037b5809791e01eb05903ee2c0a6d455745f33c4e5eeb1a4779435362abe2cd8e8980a1f9ecc6250ceb9011b73057d4861efad3d2808
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3004 takeown.exe 3036 icacls.exe 3040 takeown.exe 2136 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3004 takeown.exe 3036 icacls.exe 3040 takeown.exe 2136 icacls.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3004 takeown.exe Token: SeTakeOwnershipPrivilege 3040 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exedescription pid process target process PID 2944 wrote to memory of 1704 2944 cmd.exe fsutil.exe PID 2944 wrote to memory of 1704 2944 cmd.exe fsutil.exe PID 2944 wrote to memory of 1704 2944 cmd.exe fsutil.exe PID 2944 wrote to memory of 3004 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 3004 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 3004 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 3036 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 3036 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 3036 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 3040 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 3040 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 3040 2944 cmd.exe takeown.exe PID 2944 wrote to memory of 2136 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 2136 2944 cmd.exe icacls.exe PID 2944 wrote to memory of 2136 2944 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\blocknotif.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fsutil.exefsutil dirty query C:2⤵
-
C:\Windows\System32\takeown.exetakeown /F MusNotification.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeicacls MusNotification.exe /deny Everyone:(X)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exetakeown /F MusNotificationUx.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeicacls MusNotificationUx.exe /deny Everyone:(X)2⤵
- Possible privilege escalation attempt
- Modifies file permissions