96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256

General

Target

96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
Size

68KB
MD5

01b4a6d2a221aea621b86662aee7d8c0
SHA1

c968452bfa4ae792c14b12522f0dd8347a36bf83
SHA256

96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256
SHA512

cedbc2f13a25d9e1a440c6cb9c8d076bcba912dce79cedde54c3dec8a92841717b38818f267bdff43890918ec6d5d380eda157b4173ac488ce8e01ed8247984a
SSDEEP

1536:tiKPa3rtPbJx07/LIUIkfDq8Wp7WJa+/1JFx3V8:tiqA9lx07cUIkfDq8WpyJa+fF8

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
4308	icacls.exe
2960	takeown.exe
792	icacls.exe
4056	takeown.exe
4624	icacls.exe
2252	takeown.exe
3596	icacls.exe
1732	takeown.exe
1648	takeown.exe
3212	takeown.exe
4744	takeown.exe
2228	icacls.exe
856	icacls.exe
3552	takeown.exe
1988	takeown.exe
2296	takeown.exe
1976	takeown.exe
3980	icacls.exe
2512	takeown.exe
2504	icacls.exe
4700	takeown.exe
4304	icacls.exe
4296	icacls.exe
1788	icacls.exe
2036	icacls.exe
428	icacls.exe
3440	takeown.exe
1944	icacls.exe
4044	takeown.exe
1380	takeown.exe
4756	icacls.exe
3176	icacls.exe
2824	icacls.exe
2692	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2296	takeown.exe
792	icacls.exe
4700	takeown.exe
2512	takeown.exe
1732	takeown.exe
1788	icacls.exe
4756	icacls.exe
2504	icacls.exe
1648	takeown.exe
1976	takeown.exe
428	icacls.exe
4304	icacls.exe
1988	takeown.exe
4056	takeown.exe
3552	takeown.exe
1380	takeown.exe
2252	takeown.exe
3212	takeown.exe
2228	icacls.exe
2824	icacls.exe
4296	icacls.exe
4744	takeown.exe
856	icacls.exe
3440	takeown.exe
4624	icacls.exe
2960	takeown.exe
2692	takeown.exe
4044	takeown.exe
3176	icacls.exe
2036	icacls.exe
3596	icacls.exe
3980	icacls.exe
4308	icacls.exe
1944	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cmd.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
File created	C:\Windows\SysWOW64\quez.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
File opened for modification	C:\Windows\SysWOW64\quez.exe	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	4056	takeown.exe
Token: SeTakeOwnershipPrivilege	4700	takeown.exe
Token: SeTakeOwnershipPrivilege	2296	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	1976	takeown.exe
Token: SeTakeOwnershipPrivilege	2252	takeown.exe
Token: SeTakeOwnershipPrivilege	3212	takeown.exe
Token: SeTakeOwnershipPrivilege	2512	takeown.exe
Token: SeTakeOwnershipPrivilege	4744	takeown.exe
Token: SeTakeOwnershipPrivilege	1732	takeown.exe
Token: SeTakeOwnershipPrivilege	2960	takeown.exe
Token: SeTakeOwnershipPrivilege	2692	takeown.exe
Token: SeTakeOwnershipPrivilege	3440	takeown.exe
Token: SeTakeOwnershipPrivilege	4044	takeown.exe
Token: SeTakeOwnershipPrivilege	3552	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

pid process

1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

pid	process
1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe

description	pid	process	target process
PID 1828 wrote to memory of 1380	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1380	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1380	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4756	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4756	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4756	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 1988	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1988	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1988	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 3176	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3176	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3176	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4056	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4056	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4056	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2504	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2504	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2504	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4700	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4700	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4700	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2824	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2824	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2824	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2036	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2036	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2036	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 1648	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1648	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1648	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4624	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4624	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4624	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 1976	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1976	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 1976	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 428	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 428	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 428	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2252	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2252	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2252	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 3596	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3596	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3596	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3212	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 3212	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 3212	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 3980	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3980	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 3980	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 2512	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2512	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2512	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4296	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe
PID 1828 wrote to memory of 4744	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4744	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 4744	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	takeown.exe
PID 1828 wrote to memory of 2228	1828	96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
"C:\Users\Admin\AppData\Local\Temp\96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\quez.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1380

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\quez.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3176

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2504

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2824

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2036

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4624

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3596

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3980

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4296

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2228

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4308

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:856

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4304

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\quez.exe
Filesize
68KB

MD5
01b4a6d2a221aea621b86662aee7d8c0

SHA1
c968452bfa4ae792c14b12522f0dd8347a36bf83

SHA256
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256

SHA512
cedbc2f13a25d9e1a440c6cb9c8d076bcba912dce79cedde54c3dec8a92841717b38818f267bdff43890918ec6d5d380eda157b4173ac488ce8e01ed8247984a

Download Submit
memory/428-148-0x0000000000000000-mapping.dmp

Download
memory/792-162-0x0000000000000000-mapping.dmp

Download
memory/856-160-0x0000000000000000-mapping.dmp

Download
memory/1380-134-0x0000000000000000-mapping.dmp

Download
memory/1648-145-0x0000000000000000-mapping.dmp

Download
memory/1732-157-0x0000000000000000-mapping.dmp

Download
memory/1788-168-0x0000000000000000-mapping.dmp

Download
memory/1944-164-0x0000000000000000-mapping.dmp

Download
memory/1976-147-0x0000000000000000-mapping.dmp

Download
memory/1988-137-0x0000000000000000-mapping.dmp

Download
memory/2036-144-0x0000000000000000-mapping.dmp

Download
memory/2228-156-0x0000000000000000-mapping.dmp

Download
memory/2252-149-0x0000000000000000-mapping.dmp

Download
memory/2296-143-0x0000000000000000-mapping.dmp

Download
memory/2504-140-0x0000000000000000-mapping.dmp

Download
memory/2512-153-0x0000000000000000-mapping.dmp

Download
memory/2692-161-0x0000000000000000-mapping.dmp

Download
memory/2824-142-0x0000000000000000-mapping.dmp

Download
memory/2960-159-0x0000000000000000-mapping.dmp

Download
memory/3176-138-0x0000000000000000-mapping.dmp

Download
memory/3212-151-0x0000000000000000-mapping.dmp

Download
memory/3440-163-0x0000000000000000-mapping.dmp

Download
memory/3552-167-0x0000000000000000-mapping.dmp

Download
memory/3596-150-0x0000000000000000-mapping.dmp

Download
memory/3980-152-0x0000000000000000-mapping.dmp

Download
memory/4044-165-0x0000000000000000-mapping.dmp

Download
memory/4056-139-0x0000000000000000-mapping.dmp

Download
memory/4296-154-0x0000000000000000-mapping.dmp

Download
memory/4304-166-0x0000000000000000-mapping.dmp

Download
memory/4308-158-0x0000000000000000-mapping.dmp

Download
memory/4624-146-0x0000000000000000-mapping.dmp

Download
memory/4700-141-0x0000000000000000-mapping.dmp

Download
memory/4744-155-0x0000000000000000-mapping.dmp

Download
memory/4756-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads