icacls[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

icacls.exe
Size

37KB
MD5

24084debc1369b35e57f8efe0500a83d
SHA1

c44cf46295b8e727606438d61f15d5a412d74148
SHA256

70b6b1fc978df2e608af138da4eff5bdea6ff77434a1defcf8675ff0cc452829
SHA512

b55a504ef86a66783360170c9e5f0ff75a2f34fad97ef49e05658362a28ab61bd829d4d4ba1cc60cfa9c42cafae897831d78dd333a9dd5c88f47545c792608ef
SSDEEP

768:4lyiYW5CcQevN+BHGBmfAnm/HygVKs6jTiAUSETkqOGeCwE/Ldh8:4IkhIWmB0DTiAUFkqOtZE/Ldh8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
icacls.exe

Files

icacls.exe
.exe windows:10 windows x64 arch:x64

e5f3d9e2fb5393bf81da7ed286690c48

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

icacls.pdb

Imports

msvcrt

feof
wcscat_s
fgetwc
free
wcscpy_s
swprintf_s
_local_unwind
printf
fputws
__C_specific_handler
realloc
_ultow
?terminate@@YAXXZ
_commode
_fmode
_wfopen
_initterm
_wcsdup
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
fclose
_amsg_exit
_wcsicmp
_wperror
_XcptFilter
wcsncpy_s
malloc
wcschr
wcsrchr
calloc
_wcsnicmp
memcpy

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtOpenFile
RtlNtStatusToDosError
RtlFreeHeap
NtQueryInformationFile
RtlIsCapabilitySid
NtClose
RtlReleaseRelativeName
RtlIsPackageSid
RtlDosPathNameToRelativeNtPathName_U

api-ms-win-security-lsalookup-l2-1-1

LookupPrivilegeValueW
LookupAccountSidW
LookupAccountNameW

api-ms-win-core-file-l1-2-1

GetFinalPathNameByHandleW
GetFileType
GetFileAttributesW
FindClose
WriteFile
FindNextFileW
FindFirstFileW

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-security-base-l1-2-0

GetSecurityDescriptorDacl
GetSecurityDescriptorControl
SetSecurityAccessMask
EqualSid
DeleteAce
IsValidSid
AddAce
AdjustTokenPrivileges
CopySid
IsValidAcl
GetLengthSid
GetSecurityDescriptorSacl
InitializeAcl

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
TerminateProcess
OpenProcessToken
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-processenvironment-l1-2-0

GetStdHandle

api-ms-win-security-sddl-l1-1-0

ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertStringSidToSidW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleMode

api-ms-win-core-localization-l1-2-1

FormatMessageW
SetThreadPreferredUILanguages

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l1-2-0

HeapSetInformation

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-security-provider-l1-1-0

GetSecurityInfo
SetSecurityInfo

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e5f3d9e2fb5393bf81da7ed286690c48

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-security-lsalookup-l2-1-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-security-provider-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

Sections

.text Size: 21KB - Virtual size: 21KB

.rdata Size: 9KB - Virtual size: 9KB

.data Size: 1KB - Virtual size: 2KB

.pdata Size: 1024B - Virtual size: 768B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 216B

.text
Size: 21KB - Virtual size: 21KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 1KB - Virtual size: 2KB

.pdata
Size: 1024B - Virtual size: 768B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 216B