4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189

General

Target

4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
Size

68KB
MD5

4172d99dbdda31568d0b49cf9d92d7e0
SHA1

ee792bd1a9cd220a1b9029b0fe1b88fd8aad5fee
SHA256

4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189
SHA512

c769a85f57146cd42608ff3dc2a07360dc0bcfb87a5eb20d7687786b474e9f8400bb0b9a8713233d9a78a36761508500ead1959a3d27471deaa24de1132732fe
SSDEEP

768:lGUus3huFSgaLva+Nwuk7X0vIurM69GMaq+Z3rzG6pnilLAnWKLkSXG4Xo:lGUVxjkwmwaq+Z/n6SGio

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1260	icacls.exe
3468	takeown.exe
4900	takeown.exe
1080	takeown.exe
4780	icacls.exe
4768	icacls.exe
1976	icacls.exe
4684	takeown.exe
2516	icacls.exe
1276	icacls.exe
2480	takeown.exe
1360	takeown.exe
4700	takeown.exe
4348	takeown.exe
3776	takeown.exe
3280	icacls.exe
616	takeown.exe
2512	takeown.exe
2636	takeown.exe
2660	takeown.exe
2752	icacls.exe
4960	icacls.exe
2180	takeown.exe
3084	icacls.exe
1384	icacls.exe
2576	takeown.exe
4392	icacls.exe
3180	takeown.exe
852	icacls.exe
3236	takeown.exe
4888	icacls.exe
4292	icacls.exe
4776	icacls.exe
4064	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
4900	takeown.exe
3180	takeown.exe
3468	takeown.exe
4768	icacls.exe
4392	icacls.exe
1080	takeown.exe
3280	icacls.exe
4684	takeown.exe
4348	takeown.exe
4960	icacls.exe
1276	icacls.exe
3776	takeown.exe
4064	icacls.exe
3236	takeown.exe
852	icacls.exe
1384	icacls.exe
2576	takeown.exe
616	takeown.exe
4292	icacls.exe
2752	icacls.exe
2480	takeown.exe
2512	takeown.exe
2636	takeown.exe
1976	icacls.exe
2660	takeown.exe
1260	icacls.exe
4776	icacls.exe
1360	takeown.exe
4780	icacls.exe
2180	takeown.exe
4888	icacls.exe
3084	icacls.exe
2516	icacls.exe
4700	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cflzw.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
File opened for modification	C:\Windows\SysWOW64\cflzw.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2576	takeown.exe
Token: SeTakeOwnershipPrivilege	4348	takeown.exe
Token: SeTakeOwnershipPrivilege	2660	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	3180	takeown.exe
Token: SeTakeOwnershipPrivilege	2480	takeown.exe
Token: SeTakeOwnershipPrivilege	3468	takeown.exe
Token: SeTakeOwnershipPrivilege	3776	takeown.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe
Token: SeTakeOwnershipPrivilege	3236	takeown.exe
Token: SeTakeOwnershipPrivilege	616	takeown.exe
Token: SeTakeOwnershipPrivilege	4684	takeown.exe
Token: SeTakeOwnershipPrivilege	2512	takeown.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeTakeOwnershipPrivilege	4700	takeown.exe
Token: SeTakeOwnershipPrivilege	2636	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

pid process

3464 4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

pid	process
3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe

description	pid	process	target process
PID 3464 wrote to memory of 4900	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4900	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4900	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4768	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4768	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4768	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2576	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2576	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2576	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4392	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4392	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4392	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4348	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4348	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4348	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 1976	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1976	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1976	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2660	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2660	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2660	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2752	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2752	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2752	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1080	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 1080	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 1080	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4960	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4960	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4960	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 1276	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1276	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1276	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2480	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2480	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2480	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 1260	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1260	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 1260	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3468	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3468	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3468	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3776	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4064	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4064	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 4064	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 2180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 2180	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3280	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3280	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3280	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe
PID 3464 wrote to memory of 3236	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3236	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 3236	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	takeown.exe
PID 3464 wrote to memory of 4888	3464	4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe
"C:\Users\Admin\AppData\Local\Temp\4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\cflzw.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4900

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\cflzw.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4768

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4392

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1976

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1276

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1260

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4776

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4064

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3280

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3084

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2516

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:852

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4292

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1384

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cflzw.exe
Filesize
68KB

MD5
4172d99dbdda31568d0b49cf9d92d7e0

SHA1
ee792bd1a9cd220a1b9029b0fe1b88fd8aad5fee

SHA256
4b7fa0d6299d7dbf332f726a071e6a18057c52a44ffba1147845b2a42d178189

SHA512
c769a85f57146cd42608ff3dc2a07360dc0bcfb87a5eb20d7687786b474e9f8400bb0b9a8713233d9a78a36761508500ead1959a3d27471deaa24de1132732fe

Download Submit
memory/616-157-0x0000000000000000-mapping.dmp

Download
memory/852-162-0x0000000000000000-mapping.dmp

Download
memory/1080-143-0x0000000000000000-mapping.dmp

Download
memory/1260-148-0x0000000000000000-mapping.dmp

Download
memory/1276-146-0x0000000000000000-mapping.dmp

Download
memory/1360-163-0x0000000000000000-mapping.dmp

Download
memory/1384-166-0x0000000000000000-mapping.dmp

Download
memory/1976-140-0x0000000000000000-mapping.dmp

Download
memory/2180-153-0x0000000000000000-mapping.dmp

Download
memory/2480-147-0x0000000000000000-mapping.dmp

Download
memory/2512-161-0x0000000000000000-mapping.dmp

Download
memory/2516-160-0x0000000000000000-mapping.dmp

Download
memory/2576-137-0x0000000000000000-mapping.dmp

Download
memory/2636-167-0x0000000000000000-mapping.dmp

Download
memory/2660-141-0x0000000000000000-mapping.dmp

Download
memory/2752-142-0x0000000000000000-mapping.dmp

Download
memory/3084-158-0x0000000000000000-mapping.dmp

Download
memory/3180-145-0x0000000000000000-mapping.dmp

Download
memory/3236-155-0x0000000000000000-mapping.dmp

Download
memory/3280-154-0x0000000000000000-mapping.dmp

Download
memory/3468-149-0x0000000000000000-mapping.dmp

Download
memory/3776-151-0x0000000000000000-mapping.dmp

Download
memory/4064-152-0x0000000000000000-mapping.dmp

Download
memory/4292-164-0x0000000000000000-mapping.dmp

Download
memory/4348-139-0x0000000000000000-mapping.dmp

Download
memory/4392-138-0x0000000000000000-mapping.dmp

Download
memory/4684-159-0x0000000000000000-mapping.dmp

Download
memory/4700-165-0x0000000000000000-mapping.dmp

Download
memory/4768-136-0x0000000000000000-mapping.dmp

Download
memory/4776-150-0x0000000000000000-mapping.dmp

Download
memory/4780-168-0x0000000000000000-mapping.dmp

Download
memory/4888-156-0x0000000000000000-mapping.dmp

Download
memory/4900-134-0x0000000000000000-mapping.dmp

Download
memory/4960-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads