c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf

General

Target

c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
Size

72KB
MD5

81a13f9d7efa8f86332cb8f897df2a46
SHA1

d0f11013eca20c750ae74456ed17fb2b010c5e23
SHA256

c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf
SHA512

189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d
SSDEEP

768:7h8akJlX0iPhUUqMtGUcwNttsvWTd9DO13rqMDs08PmXFwXxuFyQ/b11HzoN8Otx:7uaEvhUUFC3elPUCuFy+11cNXt47cL

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
3364	icacls.exe
4300	icacls.exe
1280	takeown.exe
3124	icacls.exe
3616	icacls.exe
1628	takeown.exe
2832	icacls.exe
1236	takeown.exe
2768	takeown.exe
1040	takeown.exe
1900	icacls.exe
2208	takeown.exe
2060	takeown.exe
3904	takeown.exe
1668	takeown.exe
228	takeown.exe
5012	icacls.exe
3316	icacls.exe
1476	icacls.exe
2420	takeown.exe
332	icacls.exe
1328	icacls.exe
3516	icacls.exe
4676	takeown.exe
2160	takeown.exe
1004	icacls.exe
4872	icacls.exe
1700	takeown.exe
4288	icacls.exe
3432	icacls.exe
4028	takeown.exe
4568	takeown.exe
1736	takeown.exe
3584	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
3432	icacls.exe
3364	icacls.exe
4872	icacls.exe
2060	takeown.exe
3584	icacls.exe
4300	icacls.exe
3316	icacls.exe
1700	takeown.exe
2160	takeown.exe
3904	takeown.exe
1004	icacls.exe
1236	takeown.exe
4288	icacls.exe
4568	takeown.exe
228	takeown.exe
2832	icacls.exe
2420	takeown.exe
1668	takeown.exe
2768	takeown.exe
1900	icacls.exe
2208	takeown.exe
1628	takeown.exe
1736	takeown.exe
332	icacls.exe
3516	icacls.exe
4028	takeown.exe
1280	takeown.exe
1040	takeown.exe
3124	icacls.exe
1328	icacls.exe
3616	icacls.exe
5012	icacls.exe
4676	takeown.exe
1476	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ngfs.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
File opened for modification	C:\Windows\SysWOW64\ngfs.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2060	takeown.exe
Token: SeTakeOwnershipPrivilege	3904	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	1236	takeown.exe
Token: SeTakeOwnershipPrivilege	4676	takeown.exe
Token: SeTakeOwnershipPrivilege	2420	takeown.exe
Token: SeTakeOwnershipPrivilege	4028	takeown.exe
Token: SeTakeOwnershipPrivilege	1668	takeown.exe
Token: SeTakeOwnershipPrivilege	1280	takeown.exe
Token: SeTakeOwnershipPrivilege	1700	takeown.exe
Token: SeTakeOwnershipPrivilege	2768	takeown.exe
Token: SeTakeOwnershipPrivilege	1040	takeown.exe
Token: SeTakeOwnershipPrivilege	4568	takeown.exe
Token: SeTakeOwnershipPrivilege	228	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	2208	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

pid process

2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

pid	process
2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

description	pid	process	target process
PID 2012 wrote to memory of 1628	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1628	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1628	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 5012	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 5012	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 5012	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 2060	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 2060	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 2060	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 2832	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 2832	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 2832	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3904	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3904	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3904	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1004	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1004	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1004	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1736	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1736	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1736	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3516	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3516	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3516	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1236	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1236	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1236	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3316	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3316	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3316	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4676	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4676	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4676	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1476	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1476	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1476	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 2420	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 2420	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 2420	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3584	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3584	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3584	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4028	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4028	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4028	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4300	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4300	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4300	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1668	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1668	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1668	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 4288	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4288	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 4288	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1280	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1280	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1280	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3432	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3432	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 3432	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe
PID 2012 wrote to memory of 1700	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1700	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 1700	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	takeown.exe
PID 2012 wrote to memory of 3364	2012	c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
"C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\ngfs.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1628

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\ngfs.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5012

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2832

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1004

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3516

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3316

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1476

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4300

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4288

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3432

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3364

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4872

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1900

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3124

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:332

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1328

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ngfs.exe
Filesize
72KB

MD5
81a13f9d7efa8f86332cb8f897df2a46

SHA1
d0f11013eca20c750ae74456ed17fb2b010c5e23

SHA256
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf

SHA512
189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d

Download Submit
memory/228-163-0x0000000000000000-mapping.dmp

Download
memory/332-164-0x0000000000000000-mapping.dmp

Download
memory/1004-140-0x0000000000000000-mapping.dmp

Download
memory/1040-159-0x0000000000000000-mapping.dmp

Download
memory/1236-143-0x0000000000000000-mapping.dmp

Download
memory/1280-153-0x0000000000000000-mapping.dmp

Download
memory/1328-166-0x0000000000000000-mapping.dmp

Download
memory/1476-146-0x0000000000000000-mapping.dmp

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/1668-151-0x0000000000000000-mapping.dmp

Download
memory/1700-155-0x0000000000000000-mapping.dmp

Download
memory/1736-141-0x0000000000000000-mapping.dmp

Download
memory/1900-160-0x0000000000000000-mapping.dmp

Download
memory/2060-137-0x0000000000000000-mapping.dmp

Download
memory/2160-165-0x0000000000000000-mapping.dmp

Download
memory/2208-167-0x0000000000000000-mapping.dmp

Download
memory/2420-147-0x0000000000000000-mapping.dmp

Download
memory/2768-157-0x0000000000000000-mapping.dmp

Download
memory/2832-138-0x0000000000000000-mapping.dmp

Download
memory/3124-162-0x0000000000000000-mapping.dmp

Download
memory/3316-144-0x0000000000000000-mapping.dmp

Download
memory/3364-156-0x0000000000000000-mapping.dmp

Download
memory/3432-154-0x0000000000000000-mapping.dmp

Download
memory/3516-142-0x0000000000000000-mapping.dmp

Download
memory/3584-148-0x0000000000000000-mapping.dmp

Download
memory/3616-168-0x0000000000000000-mapping.dmp

Download
memory/3904-139-0x0000000000000000-mapping.dmp

Download
memory/4028-149-0x0000000000000000-mapping.dmp

Download
memory/4288-152-0x0000000000000000-mapping.dmp

Download
memory/4300-150-0x0000000000000000-mapping.dmp

Download
memory/4568-161-0x0000000000000000-mapping.dmp

Download
memory/4676-145-0x0000000000000000-mapping.dmp

Download
memory/4872-158-0x0000000000000000-mapping.dmp

Download
memory/5012-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads