Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 01:40
Static task
static1
Behavioral task
behavioral1
Sample
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
Resource
win7-20220812-en
General
-
Target
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe
-
Size
68KB
-
MD5
076b85a5c833508de41b3cf7292b3c76
-
SHA1
e6d5db8f4ce19fc52ca3e8994dd983758629ea5a
-
SHA256
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a
-
SHA512
11f4e94524aea494c5c934f14c60508171f9fce6f48414ae347d9796517b5cd6e208cbd1bb80f5ac2664297af97217556d1098594ecbbb05d779fe34d9f470f8
-
SSDEEP
768:8AzPQ1mt9KylnlBzvy7HRxlAUc8quFZTOHvPV+uaQGQiERntyuK0dUcqGMkqEKAZ:8ADQEK+qF3FZTOHvPVfY1ERtqGMkGt4v
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4868 takeown.exe 4496 icacls.exe 1076 takeown.exe 1668 icacls.exe 1896 takeown.exe 3088 icacls.exe 4584 takeown.exe 4056 icacls.exe 3016 icacls.exe 5044 icacls.exe 4780 takeown.exe 3688 icacls.exe 3396 takeown.exe 4872 takeown.exe 4548 takeown.exe 3372 icacls.exe 780 takeown.exe 4240 takeown.exe 5040 takeown.exe 2288 icacls.exe 924 takeown.exe 3260 icacls.exe 4092 takeown.exe 2640 takeown.exe 2240 icacls.exe 4728 takeown.exe 1488 icacls.exe 4232 takeown.exe 3084 icacls.exe 3652 takeown.exe 3264 icacls.exe 3648 icacls.exe 2208 icacls.exe 1012 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 3688 icacls.exe 4584 takeown.exe 3260 icacls.exe 1012 icacls.exe 4232 takeown.exe 3084 icacls.exe 780 takeown.exe 4496 icacls.exe 924 takeown.exe 4240 takeown.exe 3088 icacls.exe 4780 takeown.exe 4548 takeown.exe 4056 icacls.exe 4868 takeown.exe 1488 icacls.exe 4872 takeown.exe 5044 icacls.exe 4728 takeown.exe 3652 takeown.exe 3264 icacls.exe 1076 takeown.exe 3372 icacls.exe 3016 icacls.exe 2208 icacls.exe 5040 takeown.exe 2240 icacls.exe 1668 icacls.exe 1896 takeown.exe 3648 icacls.exe 2288 icacls.exe 2640 takeown.exe 4092 takeown.exe 3396 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wscript.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe File created C:\Windows\SysWOW64\titqi.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe File opened for modification C:\Windows\SysWOW64\titqi.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4868 takeown.exe Token: SeTakeOwnershipPrivilege 4728 takeown.exe Token: SeTakeOwnershipPrivilege 3652 takeown.exe Token: SeTakeOwnershipPrivilege 4872 takeown.exe Token: SeTakeOwnershipPrivilege 780 takeown.exe Token: SeTakeOwnershipPrivilege 1896 takeown.exe Token: SeTakeOwnershipPrivilege 2640 takeown.exe Token: SeTakeOwnershipPrivilege 4240 takeown.exe Token: SeTakeOwnershipPrivilege 5040 takeown.exe Token: SeTakeOwnershipPrivilege 924 takeown.exe Token: SeTakeOwnershipPrivilege 4780 takeown.exe Token: SeTakeOwnershipPrivilege 4584 takeown.exe Token: SeTakeOwnershipPrivilege 4548 takeown.exe Token: SeTakeOwnershipPrivilege 4092 takeown.exe Token: SeTakeOwnershipPrivilege 1076 takeown.exe Token: SeTakeOwnershipPrivilege 4232 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exepid process 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exedescription pid process target process PID 5112 wrote to memory of 3396 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3396 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3396 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4056 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4056 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4056 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4868 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4868 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4868 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3084 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3084 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3084 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4728 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4728 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4728 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3016 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3016 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3016 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3652 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3652 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3652 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3264 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3264 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3264 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4872 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4872 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4872 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 5044 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 5044 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 5044 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 780 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 780 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 780 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 1488 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 1488 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 1488 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 1896 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 1896 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 1896 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3648 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3648 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 3648 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 2640 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 2640 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 2640 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4496 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4496 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4496 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 4240 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4240 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 4240 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 2208 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 2208 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 2208 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 5040 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 5040 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 5040 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 2288 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 2288 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 2288 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe PID 5112 wrote to memory of 924 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 924 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 924 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe takeown.exe PID 5112 wrote to memory of 3088 5112 96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe"C:\Users\Admin\AppData\Local\Temp\96b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\titqi.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\titqi.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\titqi.exeFilesize
68KB
MD5076b85a5c833508de41b3cf7292b3c76
SHA1e6d5db8f4ce19fc52ca3e8994dd983758629ea5a
SHA25696b7616af0a65d91510d84b39b04635da4511148e16599d469e112c3e73afd8a
SHA51211f4e94524aea494c5c934f14c60508171f9fce6f48414ae347d9796517b5cd6e208cbd1bb80f5ac2664297af97217556d1098594ecbbb05d779fe34d9f470f8
-
memory/780-145-0x0000000000000000-mapping.dmp
-
memory/924-155-0x0000000000000000-mapping.dmp
-
memory/1012-164-0x0000000000000000-mapping.dmp
-
memory/1076-165-0x0000000000000000-mapping.dmp
-
memory/1488-146-0x0000000000000000-mapping.dmp
-
memory/1668-166-0x0000000000000000-mapping.dmp
-
memory/1896-147-0x0000000000000000-mapping.dmp
-
memory/2208-152-0x0000000000000000-mapping.dmp
-
memory/2240-162-0x0000000000000000-mapping.dmp
-
memory/2288-154-0x0000000000000000-mapping.dmp
-
memory/2640-149-0x0000000000000000-mapping.dmp
-
memory/3016-140-0x0000000000000000-mapping.dmp
-
memory/3084-138-0x0000000000000000-mapping.dmp
-
memory/3088-156-0x0000000000000000-mapping.dmp
-
memory/3260-160-0x0000000000000000-mapping.dmp
-
memory/3264-142-0x0000000000000000-mapping.dmp
-
memory/3372-168-0x0000000000000000-mapping.dmp
-
memory/3396-134-0x0000000000000000-mapping.dmp
-
memory/3648-148-0x0000000000000000-mapping.dmp
-
memory/3652-141-0x0000000000000000-mapping.dmp
-
memory/3688-158-0x0000000000000000-mapping.dmp
-
memory/4056-136-0x0000000000000000-mapping.dmp
-
memory/4092-163-0x0000000000000000-mapping.dmp
-
memory/4232-167-0x0000000000000000-mapping.dmp
-
memory/4240-151-0x0000000000000000-mapping.dmp
-
memory/4496-150-0x0000000000000000-mapping.dmp
-
memory/4548-161-0x0000000000000000-mapping.dmp
-
memory/4584-159-0x0000000000000000-mapping.dmp
-
memory/4728-139-0x0000000000000000-mapping.dmp
-
memory/4780-157-0x0000000000000000-mapping.dmp
-
memory/4868-137-0x0000000000000000-mapping.dmp
-
memory/4872-143-0x0000000000000000-mapping.dmp
-
memory/5040-153-0x0000000000000000-mapping.dmp
-
memory/5044-144-0x0000000000000000-mapping.dmp