02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48

General

Target

02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
Size

72KB
MD5

52546e1127487e7974fd844aa5bd03f6
SHA1

b042d031ca45dc4ec791127a0ffd9d1e8df7e709
SHA256

02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48
SHA512

448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a
SSDEEP

768:lZ3ekAd0mgBUJ0JtXxvoCjtpIh0xoXj8KIQBHkfOJRdLd5nOggSjyiPFu0/vHNML:lidhehRjwXjMW0aI3mxnkXtPe+qYQO

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
864	icacls.exe
4200	takeown.exe
212	takeown.exe
5076	icacls.exe
2988	takeown.exe
3776	takeown.exe
4144	icacls.exe
1780	icacls.exe
752	icacls.exe
764	takeown.exe
3472	icacls.exe
2040	icacls.exe
1276	takeown.exe
3452	takeown.exe
4428	icacls.exe
4352	takeown.exe
2344	icacls.exe
2340	icacls.exe
5024	takeown.exe
1380	takeown.exe
5044	icacls.exe
1752	icacls.exe
4864	icacls.exe
2272	takeown.exe
1936	takeown.exe
4444	icacls.exe
4756	takeown.exe
5104	takeown.exe
4864	takeown.exe
1148	takeown.exe
4396	takeown.exe
2248	icacls.exe
4876	icacls.exe
2280	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1936	takeown.exe
1780	icacls.exe
4756	takeown.exe
5104	takeown.exe
4864	takeown.exe
3776	takeown.exe
2272	takeown.exe
5044	icacls.exe
3452	takeown.exe
4396	takeown.exe
1380	takeown.exe
4200	takeown.exe
3472	icacls.exe
2988	takeown.exe
2248	icacls.exe
752	icacls.exe
764	takeown.exe
5076	icacls.exe
4876	icacls.exe
2344	icacls.exe
864	icacls.exe
4428	icacls.exe
4352	takeown.exe
1276	takeown.exe
5024	takeown.exe
2280	icacls.exe
212	takeown.exe
4444	icacls.exe
4144	icacls.exe
1148	takeown.exe
1752	icacls.exe
2340	icacls.exe
4864	icacls.exe
2040	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cmd.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
File created	C:\Windows\SysWOW64\crod.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
File opened for modification	C:\Windows\SysWOW64\crod.exe	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	764	takeown.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	3776	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeTakeOwnershipPrivilege	4396	takeown.exe
Token: SeTakeOwnershipPrivilege	2272	takeown.exe
Token: SeTakeOwnershipPrivilege	2988	takeown.exe
Token: SeTakeOwnershipPrivilege	1936	takeown.exe
Token: SeTakeOwnershipPrivilege	4756	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	1380	takeown.exe
Token: SeTakeOwnershipPrivilege	4864	takeown.exe
Token: SeTakeOwnershipPrivilege	3452	takeown.exe
Token: SeTakeOwnershipPrivilege	4352	takeown.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeTakeOwnershipPrivilege	4200	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

pid process

5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

pid	process
5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe

description	pid	process	target process
PID 5072 wrote to memory of 5024	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 5024	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 5024	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4864	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4864	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4864	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 764	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 764	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 764	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 3472	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 3472	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 3472	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 212	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 212	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 212	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2040	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2040	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2040	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 3776	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 3776	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 3776	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4144	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4144	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4144	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 1148	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1148	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1148	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 5076	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 5076	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 5076	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4396	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4396	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4396	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4876	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4876	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4876	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2272	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2272	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2272	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2248	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2248	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2248	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2988	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2988	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2988	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4444	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4444	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4444	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 1936	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1936	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1936	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1780	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 1780	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 1780	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 4756	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4756	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 4756	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 2280	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2280	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 2280	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe
PID 5072 wrote to memory of 5104	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 5104	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 5104	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	takeown.exe
PID 5072 wrote to memory of 1752	5072	02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
"C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\crod.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\crod.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4864

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3472

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4144

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5076

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4876

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2248

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4444

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2280

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2344

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2340

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\crod.exe
Filesize
72KB

MD5
52546e1127487e7974fd844aa5bd03f6

SHA1
b042d031ca45dc4ec791127a0ffd9d1e8df7e709

SHA256
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48

SHA512
448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a

Download Submit
memory/212-139-0x0000000000000000-mapping.dmp

Download
memory/752-168-0x0000000000000000-mapping.dmp

Download
memory/764-137-0x0000000000000000-mapping.dmp

Download
memory/864-160-0x0000000000000000-mapping.dmp

Download
memory/1148-143-0x0000000000000000-mapping.dmp

Download
memory/1276-165-0x0000000000000000-mapping.dmp

Download
memory/1380-157-0x0000000000000000-mapping.dmp

Download
memory/1752-156-0x0000000000000000-mapping.dmp

Download
memory/1780-152-0x0000000000000000-mapping.dmp

Download
memory/1936-151-0x0000000000000000-mapping.dmp

Download
memory/2040-140-0x0000000000000000-mapping.dmp

Download
memory/2248-148-0x0000000000000000-mapping.dmp

Download
memory/2272-147-0x0000000000000000-mapping.dmp

Download
memory/2280-154-0x0000000000000000-mapping.dmp

Download
memory/2340-166-0x0000000000000000-mapping.dmp

Download
memory/2344-164-0x0000000000000000-mapping.dmp

Download
memory/2988-149-0x0000000000000000-mapping.dmp

Download
memory/3452-161-0x0000000000000000-mapping.dmp

Download
memory/3472-138-0x0000000000000000-mapping.dmp

Download
memory/3776-141-0x0000000000000000-mapping.dmp

Download
memory/4144-142-0x0000000000000000-mapping.dmp

Download
memory/4200-167-0x0000000000000000-mapping.dmp

Download
memory/4352-163-0x0000000000000000-mapping.dmp

Download
memory/4396-145-0x0000000000000000-mapping.dmp

Download
memory/4428-162-0x0000000000000000-mapping.dmp

Download
memory/4444-150-0x0000000000000000-mapping.dmp

Download
memory/4756-153-0x0000000000000000-mapping.dmp

Download
memory/4864-159-0x0000000000000000-mapping.dmp

Download
memory/4864-136-0x0000000000000000-mapping.dmp

Download
memory/4876-146-0x0000000000000000-mapping.dmp

Download
memory/5024-134-0x0000000000000000-mapping.dmp

Download
memory/5044-158-0x0000000000000000-mapping.dmp

Download
memory/5076-144-0x0000000000000000-mapping.dmp

Download
memory/5104-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads