Analysis
-
max time kernel
94s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 22:30
Static task
static1
Behavioral task
behavioral1
Sample
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
Resource
win7-20220901-en
General
-
Target
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe
-
Size
68KB
-
MD5
6905e9e6ec69c8f324f51d755f8a85f0
-
SHA1
18b8badd020675e0251c7431899c58de4fb76533
-
SHA256
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f
-
SHA512
d2fe44141c5cead5d9bcdb0100c90ff0f749b608520963c173a10018585213b6d10b9c4fe52a430324110332bb8a64c267805bc873f9d6dc4cea91b84b201f16
-
SSDEEP
1536:MbmaGlRCR0dYRrdhSBbWOGlZoLLmCI6DDjA+DjcqxoY3:Mb6bFcdYBHGlZoLmCI6DAcDF
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 2384 icacls.exe 4612 takeown.exe 3404 takeown.exe 1920 takeown.exe 5064 takeown.exe 2136 takeown.exe 4420 icacls.exe 2344 takeown.exe 3540 icacls.exe 5104 takeown.exe 3008 takeown.exe 1208 takeown.exe 2324 takeown.exe 3796 icacls.exe 4000 icacls.exe 4116 takeown.exe 3960 icacls.exe 2100 takeown.exe 844 takeown.exe 2764 icacls.exe 4948 takeown.exe 4564 icacls.exe 3332 icacls.exe 4312 icacls.exe 4348 takeown.exe 4184 icacls.exe 3328 icacls.exe 1768 icacls.exe 2028 takeown.exe 1496 icacls.exe 4924 takeown.exe 5116 icacls.exe 4276 icacls.exe 2836 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 3332 icacls.exe 4184 icacls.exe 2764 icacls.exe 4116 takeown.exe 2028 takeown.exe 4000 icacls.exe 3008 takeown.exe 844 takeown.exe 2136 takeown.exe 3796 icacls.exe 4348 takeown.exe 4948 takeown.exe 3540 icacls.exe 4420 icacls.exe 5116 icacls.exe 2324 takeown.exe 5064 takeown.exe 3404 takeown.exe 2100 takeown.exe 1496 icacls.exe 5104 takeown.exe 4612 takeown.exe 4312 icacls.exe 2836 icacls.exe 2344 takeown.exe 3328 icacls.exe 1768 icacls.exe 4924 takeown.exe 1208 takeown.exe 4564 icacls.exe 1920 takeown.exe 2384 icacls.exe 4276 icacls.exe 3960 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cscript.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe File created C:\Windows\SysWOW64\zllaf.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe File opened for modification C:\Windows\SysWOW64\zllaf.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5104 takeown.exe Token: SeTakeOwnershipPrivilege 1920 takeown.exe Token: SeTakeOwnershipPrivilege 3008 takeown.exe Token: SeTakeOwnershipPrivilege 4612 takeown.exe Token: SeTakeOwnershipPrivilege 1208 takeown.exe Token: SeTakeOwnershipPrivilege 4348 takeown.exe Token: SeTakeOwnershipPrivilege 2324 takeown.exe Token: SeTakeOwnershipPrivilege 5064 takeown.exe Token: SeTakeOwnershipPrivilege 844 takeown.exe Token: SeTakeOwnershipPrivilege 4116 takeown.exe Token: SeTakeOwnershipPrivilege 4948 takeown.exe Token: SeTakeOwnershipPrivilege 2028 takeown.exe Token: SeTakeOwnershipPrivilege 3404 takeown.exe Token: SeTakeOwnershipPrivilege 2344 takeown.exe Token: SeTakeOwnershipPrivilege 2100 takeown.exe Token: SeTakeOwnershipPrivilege 2136 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exepid process 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exedescription pid process target process PID 3292 wrote to memory of 4924 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4924 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4924 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 5116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 5116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 5116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 5104 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 5104 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 5104 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3796 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3796 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3796 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 1920 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 1920 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 1920 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 2384 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2384 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2384 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3008 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3008 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3008 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3332 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3332 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3332 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4612 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4612 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4612 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3328 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3328 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 3328 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 1208 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 1208 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 1208 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4312 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4312 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4312 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4348 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4348 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4348 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4276 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4276 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4276 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2324 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 2324 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 2324 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4184 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4184 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4184 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 5064 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 5064 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 5064 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 2836 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2836 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2836 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 844 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 844 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 844 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 2764 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2764 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 2764 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe PID 3292 wrote to memory of 4116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 4116 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe takeown.exe PID 3292 wrote to memory of 3960 3292 1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe"C:\Users\Admin\AppData\Local\Temp\1dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\zllaf.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\zllaf.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\zllaf.exeFilesize
68KB
MD56905e9e6ec69c8f324f51d755f8a85f0
SHA118b8badd020675e0251c7431899c58de4fb76533
SHA2561dd27eb9559f935c15b7897944d9727bc1cba013794b5e20b2ed248c602c710f
SHA512d2fe44141c5cead5d9bcdb0100c90ff0f749b608520963c173a10018585213b6d10b9c4fe52a430324110332bb8a64c267805bc873f9d6dc4cea91b84b201f16
-
memory/844-153-0x0000000000000000-mapping.dmp
-
memory/1208-145-0x0000000000000000-mapping.dmp
-
memory/1496-166-0x0000000000000000-mapping.dmp
-
memory/1768-160-0x0000000000000000-mapping.dmp
-
memory/1920-139-0x0000000000000000-mapping.dmp
-
memory/2028-159-0x0000000000000000-mapping.dmp
-
memory/2100-165-0x0000000000000000-mapping.dmp
-
memory/2136-167-0x0000000000000000-mapping.dmp
-
memory/2324-149-0x0000000000000000-mapping.dmp
-
memory/2344-163-0x0000000000000000-mapping.dmp
-
memory/2384-140-0x0000000000000000-mapping.dmp
-
memory/2764-154-0x0000000000000000-mapping.dmp
-
memory/2836-152-0x0000000000000000-mapping.dmp
-
memory/3008-141-0x0000000000000000-mapping.dmp
-
memory/3328-144-0x0000000000000000-mapping.dmp
-
memory/3332-142-0x0000000000000000-mapping.dmp
-
memory/3404-161-0x0000000000000000-mapping.dmp
-
memory/3540-164-0x0000000000000000-mapping.dmp
-
memory/3796-138-0x0000000000000000-mapping.dmp
-
memory/3960-156-0x0000000000000000-mapping.dmp
-
memory/4000-162-0x0000000000000000-mapping.dmp
-
memory/4116-155-0x0000000000000000-mapping.dmp
-
memory/4184-150-0x0000000000000000-mapping.dmp
-
memory/4276-148-0x0000000000000000-mapping.dmp
-
memory/4312-146-0x0000000000000000-mapping.dmp
-
memory/4348-147-0x0000000000000000-mapping.dmp
-
memory/4420-168-0x0000000000000000-mapping.dmp
-
memory/4564-158-0x0000000000000000-mapping.dmp
-
memory/4612-143-0x0000000000000000-mapping.dmp
-
memory/4924-134-0x0000000000000000-mapping.dmp
-
memory/4948-157-0x0000000000000000-mapping.dmp
-
memory/5064-151-0x0000000000000000-mapping.dmp
-
memory/5104-137-0x0000000000000000-mapping.dmp
-
memory/5116-136-0x0000000000000000-mapping.dmp