96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a

General

Target

96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
Size

68KB
MD5

076b85a5c833508de41b3cf7292b3c76
SHA1

e6d5db8f4ce19fc52ca3e8994dd983758629ea5a
SHA256

96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a
SHA512

11f4e94524aea494c5c934f14c60508171f9fce6f48414ae347d9796517b5cd6e208cbd1bb80f5ac2664297af97217556d1098594ecbbb05d779fe34d9f470f8
SSDEEP

768:8AzPQ1mt9KylnlBzvy7HRxlAUc8quFZTOHvPV+uaQGQiERntyuK0dUcqGMkqEKAZ:8ADQEK+qF3FZTOHvPVfY1ERtqGMkGt4v

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4868	takeown.exe
4496	icacls.exe
1076	takeown.exe
1668	icacls.exe
1896	takeown.exe
3088	icacls.exe
4584	takeown.exe
4056	icacls.exe
3016	icacls.exe
5044	icacls.exe
4780	takeown.exe
3688	icacls.exe
3396	takeown.exe
4872	takeown.exe
4548	takeown.exe
3372	icacls.exe
780	takeown.exe
4240	takeown.exe
5040	takeown.exe
2288	icacls.exe
924	takeown.exe
3260	icacls.exe
4092	takeown.exe
2640	takeown.exe
2240	icacls.exe
4728	takeown.exe
1488	icacls.exe
4232	takeown.exe
3084	icacls.exe
3652	takeown.exe
3264	icacls.exe
3648	icacls.exe
2208	icacls.exe
1012	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
3688	icacls.exe
4584	takeown.exe
3260	icacls.exe
1012	icacls.exe
4232	takeown.exe
3084	icacls.exe
780	takeown.exe
4496	icacls.exe
924	takeown.exe
4240	takeown.exe
3088	icacls.exe
4780	takeown.exe
4548	takeown.exe
4056	icacls.exe
4868	takeown.exe
1488	icacls.exe
4872	takeown.exe
5044	icacls.exe
4728	takeown.exe
3652	takeown.exe
3264	icacls.exe
1076	takeown.exe
3372	icacls.exe
3016	icacls.exe
2208	icacls.exe
5040	takeown.exe
2240	icacls.exe
1668	icacls.exe
1896	takeown.exe
3648	icacls.exe
2288	icacls.exe
2640	takeown.exe
4092	takeown.exe
3396	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
File created	C:\Windows\SysWOW64\titqi.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
File opened for modification	C:\Windows\SysWOW64\titqi.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4868	takeown.exe
Token: SeTakeOwnershipPrivilege	4728	takeown.exe
Token: SeTakeOwnershipPrivilege	3652	takeown.exe
Token: SeTakeOwnershipPrivilege	4872	takeown.exe
Token: SeTakeOwnershipPrivilege	780	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	4240	takeown.exe
Token: SeTakeOwnershipPrivilege	5040	takeown.exe
Token: SeTakeOwnershipPrivilege	924	takeown.exe
Token: SeTakeOwnershipPrivilege	4780	takeown.exe
Token: SeTakeOwnershipPrivilege	4584	takeown.exe
Token: SeTakeOwnershipPrivilege	4548	takeown.exe
Token: SeTakeOwnershipPrivilege	4092	takeown.exe
Token: SeTakeOwnershipPrivilege	1076	takeown.exe
Token: SeTakeOwnershipPrivilege	4232	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

pid process

5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

pid	process
5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe

description	pid	process	target process
PID 5112 wrote to memory of 3396	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3396	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3396	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4056	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4056	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4056	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4868	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4868	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4868	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3084	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3084	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3084	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4728	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4728	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4728	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3016	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3016	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3016	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3652	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3652	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3652	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3264	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3264	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3264	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4872	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4872	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4872	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 5044	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 5044	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 5044	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 780	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 780	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 780	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 1488	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 1488	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 1488	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 1896	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 1896	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 1896	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3648	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3648	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 3648	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 2640	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 2640	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 2640	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4496	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4496	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4496	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 4240	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4240	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 4240	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 2208	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 2208	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 2208	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 5040	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 5040	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 5040	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 2288	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 2288	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 2288	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe
PID 5112 wrote to memory of 924	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 924	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 924	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	takeown.exe
PID 5112 wrote to memory of 3088	5112	96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
"C:\Users\Admin\AppData\Local\Temp\96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\titqi.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3396

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\titqi.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4056

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3084

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3016

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3264

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1488

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3648

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4496

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2208

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2288

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3088

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3688

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3260

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2240

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1012

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1668

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\titqi.exe
Filesize
68KB

MD5
076b85a5c833508de41b3cf7292b3c76

SHA1
e6d5db8f4ce19fc52ca3e8994dd983758629ea5a

SHA256
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a

SHA512
11f4e94524aea494c5c934f14c60508171f9fce6f48414ae347d9796517b5cd6e208cbd1bb80f5ac2664297af97217556d1098594ecbbb05d779fe34d9f470f8

Download Submit
memory/780-145-0x0000000000000000-mapping.dmp

Download
memory/924-155-0x0000000000000000-mapping.dmp

Download
memory/1012-164-0x0000000000000000-mapping.dmp

Download
memory/1076-165-0x0000000000000000-mapping.dmp

Download
memory/1488-146-0x0000000000000000-mapping.dmp

Download
memory/1668-166-0x0000000000000000-mapping.dmp

Download
memory/1896-147-0x0000000000000000-mapping.dmp

Download
memory/2208-152-0x0000000000000000-mapping.dmp

Download
memory/2240-162-0x0000000000000000-mapping.dmp

Download
memory/2288-154-0x0000000000000000-mapping.dmp

Download
memory/2640-149-0x0000000000000000-mapping.dmp

Download
memory/3016-140-0x0000000000000000-mapping.dmp

Download
memory/3084-138-0x0000000000000000-mapping.dmp

Download
memory/3088-156-0x0000000000000000-mapping.dmp

Download
memory/3260-160-0x0000000000000000-mapping.dmp

Download
memory/3264-142-0x0000000000000000-mapping.dmp

Download
memory/3372-168-0x0000000000000000-mapping.dmp

Download
memory/3396-134-0x0000000000000000-mapping.dmp

Download
memory/3648-148-0x0000000000000000-mapping.dmp

Download
memory/3652-141-0x0000000000000000-mapping.dmp

Download
memory/3688-158-0x0000000000000000-mapping.dmp

Download
memory/4056-136-0x0000000000000000-mapping.dmp

Download
memory/4092-163-0x0000000000000000-mapping.dmp

Download
memory/4232-167-0x0000000000000000-mapping.dmp

Download
memory/4240-151-0x0000000000000000-mapping.dmp

Download
memory/4496-150-0x0000000000000000-mapping.dmp

Download
memory/4548-161-0x0000000000000000-mapping.dmp

Download
memory/4584-159-0x0000000000000000-mapping.dmp

Download
memory/4728-139-0x0000000000000000-mapping.dmp

Download
memory/4780-157-0x0000000000000000-mapping.dmp

Download
memory/4868-137-0x0000000000000000-mapping.dmp

Download
memory/4872-143-0x0000000000000000-mapping.dmp

Download
memory/5040-153-0x0000000000000000-mapping.dmp

Download
memory/5044-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads