14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf

General

Target

14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
Size

68KB
MD5

04979ba43d2a66da6f82dba777f37ef6
SHA1

bae61b6086e88810216ada12033ad85b55cfc8d1
SHA256

14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf
SHA512

20a0815cce19cd9214f19ede1873e4cd634e2379e5578b1d58227bb0e812279f659307feeb67b22887a64a1c50b7e31e1abca9802339cb1783017e875546fd53
SSDEEP

1536:yi1V73h8E3n/dWMImM9FxMpebIXzLWPw:yMOE3n/dWPmM9FWvfZ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
1352	icacls.exe
2568	takeown.exe
3512	icacls.exe
4332	takeown.exe
3208	takeown.exe
480	icacls.exe
4372	takeown.exe
4464	icacls.exe
64	icacls.exe
1504	icacls.exe
1116	icacls.exe
4512	takeown.exe
2996	icacls.exe
1328	takeown.exe
864	icacls.exe
4928	icacls.exe
4328	takeown.exe
4388	takeown.exe
4432	takeown.exe
5068	takeown.exe
2004	takeown.exe
3440	takeown.exe
1664	icacls.exe
4996	takeown.exe
924	icacls.exe
1876	icacls.exe
2508	icacls.exe
4560	icacls.exe
4400	icacls.exe
4160	takeown.exe
4700	icacls.exe
1124	takeown.exe
460	takeown.exe
4492	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
4432	takeown.exe
4512	takeown.exe
4332	takeown.exe
4160	takeown.exe
864	icacls.exe
4700	icacls.exe
4928	icacls.exe
1664	icacls.exe
480	icacls.exe
4372	takeown.exe
1352	icacls.exe
4560	icacls.exe
2996	icacls.exe
5068	takeown.exe
1876	icacls.exe
3440	takeown.exe
2508	icacls.exe
1124	takeown.exe
460	takeown.exe
1116	icacls.exe
4464	icacls.exe
2568	takeown.exe
4328	takeown.exe
4400	icacls.exe
924	icacls.exe
4388	takeown.exe
2004	takeown.exe
4996	takeown.exe
4492	takeown.exe
3512	icacls.exe
1328	takeown.exe
3208	takeown.exe
64	icacls.exe
1504	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\zdsck.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
File opened for modification	C:\Windows\SysWOW64\zdsck.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4512	takeown.exe
Token: SeTakeOwnershipPrivilege	4332	takeown.exe
Token: SeTakeOwnershipPrivilege	5068	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe
Token: SeTakeOwnershipPrivilege	4160	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	3440	takeown.exe
Token: SeTakeOwnershipPrivilege	3208	takeown.exe
Token: SeTakeOwnershipPrivilege	2568	takeown.exe
Token: SeTakeOwnershipPrivilege	1124	takeown.exe
Token: SeTakeOwnershipPrivilege	460	takeown.exe
Token: SeTakeOwnershipPrivilege	4492	takeown.exe
Token: SeTakeOwnershipPrivilege	4432	takeown.exe
Token: SeTakeOwnershipPrivilege	4328	takeown.exe
Token: SeTakeOwnershipPrivilege	4372	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

pid process

4152 14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

pid	process
4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe

description	pid	process	target process
PID 4152 wrote to memory of 4996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 1116	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1116	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1116	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4512	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4512	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4512	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2996	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4332	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4332	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4332	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 1352	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1352	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1352	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 5068	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 5068	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 5068	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4400	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4400	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4400	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1328	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 1328	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 1328	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 924	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 924	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 924	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4388	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4388	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4388	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 1876	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1876	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 1876	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4160	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4160	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4160	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4464	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4464	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4464	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2004	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2004	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2004	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 864	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 864	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 864	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 3440	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 3440	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 3440	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4700	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4700	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 4700	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 3208	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 3208	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 3208	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2508	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2508	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2508	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe
PID 4152 wrote to memory of 2568	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2568	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 2568	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	takeown.exe
PID 4152 wrote to memory of 4928	4152	14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe
"C:\Users\Admin\AppData\Local\Temp\14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\zdsck.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4996

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\zdsck.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1116

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2996

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1352

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4400

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:924

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1876

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4700

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2508

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4928

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:64

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1664

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4560

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:480

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\zdsck.exe
Filesize
68KB

MD5
04979ba43d2a66da6f82dba777f37ef6

SHA1
bae61b6086e88810216ada12033ad85b55cfc8d1

SHA256
14ab70d14afe0daaf39c12ecf092fd1b19b838e4545d22c2cadc9ec971409dbf

SHA512
20a0815cce19cd9214f19ede1873e4cd634e2379e5578b1d58227bb0e812279f659307feeb67b22887a64a1c50b7e31e1abca9802339cb1783017e875546fd53

Download Submit
memory/64-158-0x0000000000000000-mapping.dmp

Download
memory/460-159-0x0000000000000000-mapping.dmp

Download
memory/480-166-0x0000000000000000-mapping.dmp

Download
memory/864-150-0x0000000000000000-mapping.dmp

Download
memory/924-144-0x0000000000000000-mapping.dmp

Download
memory/1116-135-0x0000000000000000-mapping.dmp

Download
memory/1124-157-0x0000000000000000-mapping.dmp

Download
memory/1328-143-0x0000000000000000-mapping.dmp

Download
memory/1352-140-0x0000000000000000-mapping.dmp

Download
memory/1504-162-0x0000000000000000-mapping.dmp

Download
memory/1664-160-0x0000000000000000-mapping.dmp

Download
memory/1876-146-0x0000000000000000-mapping.dmp

Download
memory/2004-149-0x0000000000000000-mapping.dmp

Download
memory/2508-154-0x0000000000000000-mapping.dmp

Download
memory/2568-155-0x0000000000000000-mapping.dmp

Download
memory/2996-138-0x0000000000000000-mapping.dmp

Download
memory/3208-153-0x0000000000000000-mapping.dmp

Download
memory/3440-151-0x0000000000000000-mapping.dmp

Download
memory/3512-168-0x0000000000000000-mapping.dmp

Download
memory/4160-147-0x0000000000000000-mapping.dmp

Download
memory/4328-165-0x0000000000000000-mapping.dmp

Download
memory/4332-139-0x0000000000000000-mapping.dmp

Download
memory/4372-167-0x0000000000000000-mapping.dmp

Download
memory/4388-145-0x0000000000000000-mapping.dmp

Download
memory/4400-142-0x0000000000000000-mapping.dmp

Download
memory/4432-163-0x0000000000000000-mapping.dmp

Download
memory/4464-148-0x0000000000000000-mapping.dmp

Download
memory/4492-161-0x0000000000000000-mapping.dmp

Download
memory/4512-137-0x0000000000000000-mapping.dmp

Download
memory/4560-164-0x0000000000000000-mapping.dmp

Download
memory/4700-152-0x0000000000000000-mapping.dmp

Download
memory/4928-156-0x0000000000000000-mapping.dmp

Download
memory/4996-134-0x0000000000000000-mapping.dmp

Download
memory/5068-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads