bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1

General

Target

bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
Size

72KB
MD5

607ff124d59d031ac081c8210f941826
SHA1

4d557a6584e6500b337a52ea45e3e7114c50e0cd
SHA256

bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1
SHA512

de7078e6f0afb9237944024cb840d98b0071b33c449a76586fde80a14e1b12e8a0776bf1019313de35020abc7025bd4c4ee341ee7dde1250ed87a1f28cbe27aa
SSDEEP

1536:eK086JErWvey9wQuQtHcTBRbCJs2E64KtL6:e1JErWm2wQnVJfEMZ6

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
3196	icacls.exe
2888	icacls.exe
2072	icacls.exe
4660	takeown.exe
3624	takeown.exe
2140	icacls.exe
2428	takeown.exe
3000	takeown.exe
1748	icacls.exe
3996	takeown.exe
4564	icacls.exe
2792	icacls.exe
3160	takeown.exe
4548	icacls.exe
2592	takeown.exe
3168	icacls.exe
2236	takeown.exe
3132	icacls.exe
4452	takeown.exe
4236	icacls.exe
3872	takeown.exe
1092	takeown.exe
3044	icacls.exe
4996	takeown.exe
4320	icacls.exe
1476	takeown.exe
4968	icacls.exe
4904	takeown.exe
2168	icacls.exe
3424	takeown.exe
176	icacls.exe
2576	takeown.exe
4448	icacls.exe
4444	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
4904	takeown.exe
1748	icacls.exe
4996	takeown.exe
4968	icacls.exe
4448	icacls.exe
4444	takeown.exe
4564	icacls.exe
2168	icacls.exe
3196	icacls.exe
2140	icacls.exe
2236	takeown.exe
4320	icacls.exe
4452	takeown.exe
2592	takeown.exe
2576	takeown.exe
4236	icacls.exe
3424	takeown.exe
3872	takeown.exe
4660	takeown.exe
3000	takeown.exe
3132	icacls.exe
2792	icacls.exe
4548	icacls.exe
1092	takeown.exe
3168	icacls.exe
3996	takeown.exe
176	icacls.exe
3624	takeown.exe
1476	takeown.exe
2428	takeown.exe
3160	takeown.exe
2888	icacls.exe
3044	icacls.exe
2072	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\gwkoi.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
File opened for modification	C:\Windows\SysWOW64\gwkoi.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	2592	takeown.exe
Token: SeTakeOwnershipPrivilege	1092	takeown.exe
Token: SeTakeOwnershipPrivilege	3624	takeown.exe
Token: SeTakeOwnershipPrivilege	3996	takeown.exe
Token: SeTakeOwnershipPrivilege	2236	takeown.exe
Token: SeTakeOwnershipPrivilege	4996	takeown.exe
Token: SeTakeOwnershipPrivilege	2576	takeown.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeTakeOwnershipPrivilege	2428	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	4452	takeown.exe
Token: SeTakeOwnershipPrivilege	3872	takeown.exe
Token: SeTakeOwnershipPrivilege	4904	takeown.exe
Token: SeTakeOwnershipPrivilege	4660	takeown.exe
Token: SeTakeOwnershipPrivilege	3000	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

pid process

980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

pid	process
980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe

description	pid	process	target process
PID 980 wrote to memory of 3160	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3160	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3160	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4548	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4548	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4548	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3424	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3424	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3424	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3196	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3196	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3196	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2592	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2592	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2592	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 1748	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 1748	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 1748	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 1092	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 1092	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 1092	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2888	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2888	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2888	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3624	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3624	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3624	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3168	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3168	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3168	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2140	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2140	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2140	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2236	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2236	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2236	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 3044	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3044	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 3044	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4996	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4320	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4320	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4320	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2576	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2576	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2576	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 176	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 176	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 176	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 1476	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 1476	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 1476	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4968	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4968	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 4968	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe
PID 980 wrote to memory of 2428	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2428	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 2428	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	takeown.exe
PID 980 wrote to memory of 4448	980	bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
"C:\Users\Admin\AppData\Local\Temp\bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\gwkoi.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3160

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\gwkoi.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4548

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3196

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2888

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3168

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2140

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4320

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:176

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4968

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4448

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4236

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2072

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gwkoi.exe
Filesize
72KB

MD5
607ff124d59d031ac081c8210f941826

SHA1
4d557a6584e6500b337a52ea45e3e7114c50e0cd

SHA256
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1

SHA512
de7078e6f0afb9237944024cb840d98b0071b33c449a76586fde80a14e1b12e8a0776bf1019313de35020abc7025bd4c4ee341ee7dde1250ed87a1f28cbe27aa

Download Submit
memory/176-152-0x0000000000000000-mapping.dmp

Download
memory/1092-141-0x0000000000000000-mapping.dmp

Download
memory/1476-153-0x0000000000000000-mapping.dmp

Download
memory/1748-140-0x0000000000000000-mapping.dmp

Download
memory/2072-164-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2168-166-0x0000000000000000-mapping.dmp

Download
memory/2236-147-0x0000000000000000-mapping.dmp

Download
memory/2428-155-0x0000000000000000-mapping.dmp

Download
memory/2576-151-0x0000000000000000-mapping.dmp

Download
memory/2592-139-0x0000000000000000-mapping.dmp

Download
memory/2792-168-0x0000000000000000-mapping.dmp

Download
memory/2888-142-0x0000000000000000-mapping.dmp

Download
memory/3000-167-0x0000000000000000-mapping.dmp

Download
memory/3044-148-0x0000000000000000-mapping.dmp

Download
memory/3132-158-0x0000000000000000-mapping.dmp

Download
memory/3160-134-0x0000000000000000-mapping.dmp

Download
memory/3168-144-0x0000000000000000-mapping.dmp

Download
memory/3196-138-0x0000000000000000-mapping.dmp

Download
memory/3424-137-0x0000000000000000-mapping.dmp

Download
memory/3624-143-0x0000000000000000-mapping.dmp

Download
memory/3872-161-0x0000000000000000-mapping.dmp

Download
memory/3996-145-0x0000000000000000-mapping.dmp

Download
memory/4236-160-0x0000000000000000-mapping.dmp

Download
memory/4320-150-0x0000000000000000-mapping.dmp

Download
memory/4444-157-0x0000000000000000-mapping.dmp

Download
memory/4448-156-0x0000000000000000-mapping.dmp

Download
memory/4452-159-0x0000000000000000-mapping.dmp

Download
memory/4548-135-0x0000000000000000-mapping.dmp

Download
memory/4564-162-0x0000000000000000-mapping.dmp

Download
memory/4660-165-0x0000000000000000-mapping.dmp

Download
memory/4904-163-0x0000000000000000-mapping.dmp

Download
memory/4968-154-0x0000000000000000-mapping.dmp

Download
memory/4996-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads