Analysis Overview
SHA256
a5718ae60be15412ad457aad7c602c6b43c40c18bb3ffd9eec26ac20de746620
Threat Level: Likely malicious
The file blocknotif.bat was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-27 12:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 12:32
Reported
2024-05-27 12:35
Platform
win7-20240508-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\blocknotif.bat"
C:\Windows\system32\fsutil.exe
fsutil dirty query C:
C:\Windows\System32\takeown.exe
takeown /F MusNotification.exe
C:\Windows\System32\icacls.exe
icacls MusNotification.exe /deny Everyone:(X)
C:\Windows\System32\takeown.exe
takeown /F MusNotificationUx.exe
C:\Windows\System32\icacls.exe
icacls MusNotificationUx.exe /deny Everyone:(X)
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 12:32
Reported
2024-05-27 12:35
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1476 wrote to memory of 3364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\fsutil.exe |
| PID 1476 wrote to memory of 3364 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\fsutil.exe |
| PID 1476 wrote to memory of 628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\takeown.exe |
| PID 1476 wrote to memory of 628 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\takeown.exe |
| PID 1476 wrote to memory of 1680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\icacls.exe |
| PID 1476 wrote to memory of 1680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\icacls.exe |
| PID 1476 wrote to memory of 3984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\takeown.exe |
| PID 1476 wrote to memory of 3984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\takeown.exe |
| PID 1476 wrote to memory of 4172 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\icacls.exe |
| PID 1476 wrote to memory of 4172 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\icacls.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\blocknotif.bat"
C:\Windows\system32\fsutil.exe
fsutil dirty query C:
C:\Windows\System32\takeown.exe
takeown /F MusNotification.exe
C:\Windows\System32\icacls.exe
icacls MusNotification.exe /deny Everyone:(X)
C:\Windows\System32\takeown.exe
takeown /F MusNotificationUx.exe
C:\Windows\System32\icacls.exe
icacls MusNotificationUx.exe /deny Everyone:(X)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |