1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f

General

Target

1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
Size

68KB
MD5

6905e9e6ec69c8f324f51d755f8a85f0
SHA1

18b8badd020675e0251c7431899c58de4fb76533
SHA256

1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f
SHA512

d2fe44141c5cead5d9bcdb0100c90ff0f749b608520963c173a10018585213b6d10b9c4fe52a430324110332bb8a64c267805bc873f9d6dc4cea91b84b201f16
SSDEEP

1536:MbmaGlRCR0dYRrdhSBbWOGlZoLLmCI6DDjA+DjcqxoY3:Mb6bFcdYBHGlZoLmCI6DAcDF

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
2384	icacls.exe
4612	takeown.exe
3404	takeown.exe
1920	takeown.exe
5064	takeown.exe
2136	takeown.exe
4420	icacls.exe
2344	takeown.exe
3540	icacls.exe
5104	takeown.exe
3008	takeown.exe
1208	takeown.exe
2324	takeown.exe
3796	icacls.exe
4000	icacls.exe
4116	takeown.exe
3960	icacls.exe
2100	takeown.exe
844	takeown.exe
2764	icacls.exe
4948	takeown.exe
4564	icacls.exe
3332	icacls.exe
4312	icacls.exe
4348	takeown.exe
4184	icacls.exe
3328	icacls.exe
1768	icacls.exe
2028	takeown.exe
1496	icacls.exe
4924	takeown.exe
5116	icacls.exe
4276	icacls.exe
2836	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
3332	icacls.exe
4184	icacls.exe
2764	icacls.exe
4116	takeown.exe
2028	takeown.exe
4000	icacls.exe
3008	takeown.exe
844	takeown.exe
2136	takeown.exe
3796	icacls.exe
4348	takeown.exe
4948	takeown.exe
3540	icacls.exe
4420	icacls.exe
5116	icacls.exe
2324	takeown.exe
5064	takeown.exe
3404	takeown.exe
2100	takeown.exe
1496	icacls.exe
5104	takeown.exe
4612	takeown.exe
4312	icacls.exe
2836	icacls.exe
2344	takeown.exe
3328	icacls.exe
1768	icacls.exe
4924	takeown.exe
1208	takeown.exe
4564	icacls.exe
1920	takeown.exe
2384	icacls.exe
4276	icacls.exe
3960	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
File created	C:\Windows\SysWOW64\zllaf.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
File opened for modification	C:\Windows\SysWOW64\zllaf.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeTakeOwnershipPrivilege	3008	takeown.exe
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeTakeOwnershipPrivilege	1208	takeown.exe
Token: SeTakeOwnershipPrivilege	4348	takeown.exe
Token: SeTakeOwnershipPrivilege	2324	takeown.exe
Token: SeTakeOwnershipPrivilege	5064	takeown.exe
Token: SeTakeOwnershipPrivilege	844	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	4948	takeown.exe
Token: SeTakeOwnershipPrivilege	2028	takeown.exe
Token: SeTakeOwnershipPrivilege	3404	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	2136	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

pid process

3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

pid	process
3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe

description	pid	process	target process
PID 3292 wrote to memory of 4924	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4924	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4924	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 5116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 5116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 5116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 5104	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 5104	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 5104	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3796	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3796	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3796	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 1920	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 1920	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 1920	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 2384	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2384	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2384	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3008	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3008	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3008	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3332	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3332	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3332	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4612	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4612	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4612	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3328	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3328	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 3328	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 1208	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 1208	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 1208	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4312	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4312	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4312	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4348	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4348	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4348	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4276	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4276	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4276	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2324	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 2324	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 2324	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4184	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4184	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4184	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 5064	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 5064	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 5064	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 2836	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2836	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2836	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 844	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 844	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 844	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 2764	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2764	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 2764	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe
PID 3292 wrote to memory of 4116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 4116	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	takeown.exe
PID 3292 wrote to memory of 3960	3292	1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
"C:\Users\Admin\AppData\Local\Temp\1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\zllaf.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\zllaf.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5116

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3796

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2384

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3332

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3328

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4312

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4276

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4184

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2764

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1768

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4000

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\zllaf.exe
Filesize
68KB

MD5
6905e9e6ec69c8f324f51d755f8a85f0

SHA1
18b8badd020675e0251c7431899c58de4fb76533

SHA256
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f

SHA512
d2fe44141c5cead5d9bcdb0100c90ff0f749b608520963c173a10018585213b6d10b9c4fe52a430324110332bb8a64c267805bc873f9d6dc4cea91b84b201f16

Download Submit
memory/844-153-0x0000000000000000-mapping.dmp

Download
memory/1208-145-0x0000000000000000-mapping.dmp

Download
memory/1496-166-0x0000000000000000-mapping.dmp

Download
memory/1768-160-0x0000000000000000-mapping.dmp

Download
memory/1920-139-0x0000000000000000-mapping.dmp

Download
memory/2028-159-0x0000000000000000-mapping.dmp

Download
memory/2100-165-0x0000000000000000-mapping.dmp

Download
memory/2136-167-0x0000000000000000-mapping.dmp

Download
memory/2324-149-0x0000000000000000-mapping.dmp

Download
memory/2344-163-0x0000000000000000-mapping.dmp

Download
memory/2384-140-0x0000000000000000-mapping.dmp

Download
memory/2764-154-0x0000000000000000-mapping.dmp

Download
memory/2836-152-0x0000000000000000-mapping.dmp

Download
memory/3008-141-0x0000000000000000-mapping.dmp

Download
memory/3328-144-0x0000000000000000-mapping.dmp

Download
memory/3332-142-0x0000000000000000-mapping.dmp

Download
memory/3404-161-0x0000000000000000-mapping.dmp

Download
memory/3540-164-0x0000000000000000-mapping.dmp

Download
memory/3796-138-0x0000000000000000-mapping.dmp

Download
memory/3960-156-0x0000000000000000-mapping.dmp

Download
memory/4000-162-0x0000000000000000-mapping.dmp

Download
memory/4116-155-0x0000000000000000-mapping.dmp

Download
memory/4184-150-0x0000000000000000-mapping.dmp

Download
memory/4276-148-0x0000000000000000-mapping.dmp

Download
memory/4312-146-0x0000000000000000-mapping.dmp

Download
memory/4348-147-0x0000000000000000-mapping.dmp

Download
memory/4420-168-0x0000000000000000-mapping.dmp

Download
memory/4564-158-0x0000000000000000-mapping.dmp

Download
memory/4612-143-0x0000000000000000-mapping.dmp

Download
memory/4924-134-0x0000000000000000-mapping.dmp

Download
memory/4948-157-0x0000000000000000-mapping.dmp

Download
memory/5064-151-0x0000000000000000-mapping.dmp

Download
memory/5104-137-0x0000000000000000-mapping.dmp

Download
memory/5116-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads