6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648

General

Target

6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
Size

72KB
MD5

1344621b4058158942a763ad534a01d0
SHA1

a5577f6bbfdf07f8627a23946ff3147c6840668f
SHA256

6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648
SHA512

7cf0cd53de828498d7bf1ae5ed75ad10069a98378801f56ecf22653c5c164a55ad0bc958b194a1efee8266526c9ce2cdcb47eddd7ea51d096b2c4c0244e0d67e
SSDEEP

768:l5RIN9N2yYKW0I5uj/x5qtN6aw6nIUBlKhZh1Fgb3xD/c7udmxACK4BQt8N+Y9XC:7uZYrwMg9FEhyudg+YtC

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
3524	icacls.exe
4352	takeown.exe
2820	icacls.exe
4516	icacls.exe
224	takeown.exe
4260	takeown.exe
1060	icacls.exe
3292	icacls.exe
4308	icacls.exe
608	icacls.exe
64	icacls.exe
3696	icacls.exe
4532	takeown.exe
2500	icacls.exe
804	takeown.exe
3308	takeown.exe
1092	takeown.exe
3764	takeown.exe
4984	icacls.exe
3536	icacls.exe
1116	takeown.exe
4388	takeown.exe
3840	icacls.exe
1660	takeown.exe
3468	takeown.exe
4888	icacls.exe
2016	takeown.exe
3700	takeown.exe
2380	takeown.exe
3792	takeown.exe
2784	takeown.exe
4616	icacls.exe
4832	icacls.exe
1468	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
4532	takeown.exe
3536	icacls.exe
64	icacls.exe
4832	icacls.exe
4388	takeown.exe
4616	icacls.exe
2820	icacls.exe
4260	takeown.exe
4352	takeown.exe
1116	takeown.exe
1468	icacls.exe
2784	takeown.exe
3468	takeown.exe
4888	icacls.exe
2500	icacls.exe
804	takeown.exe
3292	icacls.exe
3700	takeown.exe
608	icacls.exe
3308	takeown.exe
3764	takeown.exe
3840	icacls.exe
3524	icacls.exe
1660	takeown.exe
2380	takeown.exe
224	takeown.exe
3696	icacls.exe
3792	takeown.exe
1060	icacls.exe
4516	icacls.exe
4308	icacls.exe
4984	icacls.exe
1092	takeown.exe
2016	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

description	ioc	process
File created	C:\Windows\SysWOW64\lfgac.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
File opened for modification	C:\Windows\SysWOW64\lfgac.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	3764	takeown.exe
Token: SeTakeOwnershipPrivilege	224	takeown.exe
Token: SeTakeOwnershipPrivilege	1660	takeown.exe
Token: SeTakeOwnershipPrivilege	3700	takeown.exe
Token: SeTakeOwnershipPrivilege	4532	takeown.exe
Token: SeTakeOwnershipPrivilege	2380	takeown.exe
Token: SeTakeOwnershipPrivilege	3792	takeown.exe
Token: SeTakeOwnershipPrivilege	804	takeown.exe
Token: SeTakeOwnershipPrivilege	4352	takeown.exe
Token: SeTakeOwnershipPrivilege	4260	takeown.exe
Token: SeTakeOwnershipPrivilege	3308	takeown.exe
Token: SeTakeOwnershipPrivilege	1116	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe
Token: SeTakeOwnershipPrivilege	3468	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

pid process

4508 6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

pid	process
4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe

description	pid	process	target process
PID 4508 wrote to memory of 1092	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 1092	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 1092	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4888	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4888	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4888	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 2016	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2016	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2016	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4516	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4516	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4516	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 224	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 224	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 224	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4308	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4308	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4308	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3764	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3764	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3764	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3840	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3840	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3840	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 1660	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 1660	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 1660	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3696	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3696	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3696	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4532	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4532	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4532	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3524	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3524	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3524	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3700	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3700	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3700	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2500	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 2500	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 2500	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 2380	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2380	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2380	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4984	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4984	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4984	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 3792	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3792	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 3792	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4616	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4616	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4616	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 804	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 804	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 804	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 608	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 608	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 608	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe
PID 4508 wrote to memory of 4352	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4352	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 4352	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	takeown.exe
PID 4508 wrote to memory of 2820	4508	6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe
"C:\Users\Admin\AppData\Local\Temp\6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\lfgac.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1092

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\lfgac.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4888

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4516

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4308

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3840

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3524

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2500

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4984

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4616

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:608

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2820

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3536

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:64

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4832

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lfgac.exe
Filesize
72KB

MD5
1344621b4058158942a763ad534a01d0

SHA1
a5577f6bbfdf07f8627a23946ff3147c6840668f

SHA256
6d792e8dffb3e9ca8b7f829358e56c192a47c72acf566e951d735e4d6d785648

SHA512
7cf0cd53de828498d7bf1ae5ed75ad10069a98378801f56ecf22653c5c164a55ad0bc958b194a1efee8266526c9ce2cdcb47eddd7ea51d096b2c4c0244e0d67e

Download Submit
memory/64-160-0x0000000000000000-mapping.dmp

Download
memory/224-139-0x0000000000000000-mapping.dmp

Download
memory/608-154-0x0000000000000000-mapping.dmp

Download
memory/804-153-0x0000000000000000-mapping.dmp

Download
memory/1060-166-0x0000000000000000-mapping.dmp

Download
memory/1092-134-0x0000000000000000-mapping.dmp

Download
memory/1116-161-0x0000000000000000-mapping.dmp

Download
memory/1468-164-0x0000000000000000-mapping.dmp

Download
memory/1660-143-0x0000000000000000-mapping.dmp

Download
memory/2016-137-0x0000000000000000-mapping.dmp

Download
memory/2380-149-0x0000000000000000-mapping.dmp

Download
memory/2500-148-0x0000000000000000-mapping.dmp

Download
memory/2784-165-0x0000000000000000-mapping.dmp

Download
memory/2820-156-0x0000000000000000-mapping.dmp

Download
memory/3292-168-0x0000000000000000-mapping.dmp

Download
memory/3308-159-0x0000000000000000-mapping.dmp

Download
memory/3468-167-0x0000000000000000-mapping.dmp

Download
memory/3524-146-0x0000000000000000-mapping.dmp

Download
memory/3536-158-0x0000000000000000-mapping.dmp

Download
memory/3696-144-0x0000000000000000-mapping.dmp

Download
memory/3700-147-0x0000000000000000-mapping.dmp

Download
memory/3764-141-0x0000000000000000-mapping.dmp

Download
memory/3792-151-0x0000000000000000-mapping.dmp

Download
memory/3840-142-0x0000000000000000-mapping.dmp

Download
memory/4260-157-0x0000000000000000-mapping.dmp

Download
memory/4308-140-0x0000000000000000-mapping.dmp

Download
memory/4352-155-0x0000000000000000-mapping.dmp

Download
memory/4388-163-0x0000000000000000-mapping.dmp

Download
memory/4516-138-0x0000000000000000-mapping.dmp

Download
memory/4532-145-0x0000000000000000-mapping.dmp

Download
memory/4616-152-0x0000000000000000-mapping.dmp

Download
memory/4832-162-0x0000000000000000-mapping.dmp

Download
memory/4888-136-0x0000000000000000-mapping.dmp

Download
memory/4984-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads