5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2

General

Target

5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
Size

60KB
MD5

0ad95a7819e31770f0b6628621ed1270
SHA1

91cd7d5d95d96cc211c91f3ebbb778a2c5886079
SHA256

5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2
SHA512

96831e0d9e98963d1a150b8ee6ad0dbb8f71bdf7402b8d007a9dfe2d6b84d60e8f3e65d6ab198f9bd8007577974768e19ba8dc33c08f8751c82395fb46fe15b7
SSDEEP

768:IKEWYJPdc6Aqgp7fE/6NqpgYR86WQOPePSFRYwfJNMcQlbZ81:IKEWYJRc7fC6u/RhW9PeENMcQl981

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 20 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
3136	icacls.exe
1944	icacls.exe
4260	icacls.exe
5040	takeown.exe
5080	icacls.exe
2460	takeown.exe
2556	icacls.exe
1980	takeown.exe
2380	icacls.exe
2436	icacls.exe
1960	takeown.exe
4668	icacls.exe
4500	takeown.exe
1560	icacls.exe
1152	icacls.exe
2316	icacls.exe
2132	icacls.exe
4932	takeown.exe
3676	takeown.exe
1332	icacls.exe

Modifies file permissions 1 TTPs 20 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
4668	icacls.exe
2132	icacls.exe
1944	icacls.exe
1560	icacls.exe
2436	icacls.exe
2316	icacls.exe
3136	icacls.exe
4932	takeown.exe
3676	takeown.exe
1960	takeown.exe
2380	icacls.exe
1332	icacls.exe
4500	takeown.exe
2460	takeown.exe
2556	icacls.exe
1152	icacls.exe
1980	takeown.exe
4260	icacls.exe
5040	takeown.exe
5080	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\tcfri.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
File opened for modification	\??\c:\windows\SysWOW64\tcfri.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2460	takeown.exe
Token: SeTakeOwnershipPrivilege	4932	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	3676	takeown.exe
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	5040	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

pid process

4780 5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

pid	process
4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe

description	pid	process	target process
PID 4780 wrote to memory of 4500	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 4500	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 4500	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 3136	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 3136	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 3136	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2460	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 2460	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 2460	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 2132	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2132	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2132	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1944	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1944	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1944	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4932	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 4932	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 4932	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 2556	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2556	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2556	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1560	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1560	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1560	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1980	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 1980	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 1980	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 1152	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1152	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1152	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2380	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2380	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2380	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 3676	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 3676	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 3676	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 2436	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2436	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2436	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1332	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1332	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1332	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 1960	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 1960	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 1960	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 4668	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4668	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4668	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4260	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4260	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 4260	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 5040	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 5040	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 5040	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	takeown.exe
PID 4780 wrote to memory of 5080	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 5080	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 5080	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2316	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2316	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe
PID 4780 wrote to memory of 2316	4780	5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe
"C:\Users\Admin\AppData\Local\Temp\5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\tcfri.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4500

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\tcfri.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3136

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2132

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1944

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1560

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1152

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2380

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2436

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4668

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5080

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\tcfri.exe
Filesize
60KB

MD5
0ad95a7819e31770f0b6628621ed1270

SHA1
91cd7d5d95d96cc211c91f3ebbb778a2c5886079

SHA256
5d78dda2707197f2d95b9f93109aa48ef55e4d7525ac269da832b6bbd97258c2

SHA512
96831e0d9e98963d1a150b8ee6ad0dbb8f71bdf7402b8d007a9dfe2d6b84d60e8f3e65d6ab198f9bd8007577974768e19ba8dc33c08f8751c82395fb46fe15b7

Download Submit
memory/1152-144-0x0000000000000000-mapping.dmp

Download
memory/1332-148-0x0000000000000000-mapping.dmp

Download
memory/1560-142-0x0000000000000000-mapping.dmp

Download
memory/1944-139-0x0000000000000000-mapping.dmp

Download
memory/1960-149-0x0000000000000000-mapping.dmp

Download
memory/1980-143-0x0000000000000000-mapping.dmp

Download
memory/2132-138-0x0000000000000000-mapping.dmp

Download
memory/2316-154-0x0000000000000000-mapping.dmp

Download
memory/2380-145-0x0000000000000000-mapping.dmp

Download
memory/2436-147-0x0000000000000000-mapping.dmp

Download
memory/2460-137-0x0000000000000000-mapping.dmp

Download
memory/2556-141-0x0000000000000000-mapping.dmp

Download
memory/3136-135-0x0000000000000000-mapping.dmp

Download
memory/3676-146-0x0000000000000000-mapping.dmp

Download
memory/4260-151-0x0000000000000000-mapping.dmp

Download
memory/4500-134-0x0000000000000000-mapping.dmp

Download
memory/4668-150-0x0000000000000000-mapping.dmp

Download
memory/4932-140-0x0000000000000000-mapping.dmp

Download
memory/5040-152-0x0000000000000000-mapping.dmp

Download
memory/5080-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads