513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589

General

Target

513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
Size

68KB
MD5

07f781b7f328b7fbe798c6535c2be631
SHA1

dbd59d57a2af6b7e16ac3c599ff35870583ff641
SHA256

513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589
SHA512

b35d7b13275e46fbad29e0344d5e9f9c47fc320541e34f864909c257ec7904549b603adc67ad78716575104f6f767961a421c179b72bacb93b9b10608bc3701d
SSDEEP

768:gZICV1mYUjoFag/dOTyqC83SMzjGzBccOBb66DeUpmDo3/hmKNvUd0A+oTnXL:gZz1qC8rjGucOBO6tYEPqK/ozL

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
3256	takeown.exe
1640	icacls.exe
3304	icacls.exe
2584	icacls.exe
5088	takeown.exe
4896	icacls.exe
2124	takeown.exe
4160	takeown.exe
416	takeown.exe
4004	icacls.exe
3872	takeown.exe
3524	takeown.exe
4788	icacls.exe
2792	takeown.exe
4244	icacls.exe
3952	icacls.exe
1692	takeown.exe
4624	icacls.exe
4660	icacls.exe
3504	takeown.exe
3828	takeown.exe
2252	takeown.exe
1808	icacls.exe
4116	takeown.exe
4084	icacls.exe
4496	takeown.exe
1020	takeown.exe
4560	icacls.exe
3264	icacls.exe
4180	takeown.exe
1132	takeown.exe
2464	icacls.exe
1824	icacls.exe
4648	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
4496	takeown.exe
3264	icacls.exe
2584	icacls.exe
1692	takeown.exe
4624	icacls.exe
1824	icacls.exe
4648	icacls.exe
3256	takeown.exe
2124	takeown.exe
4004	icacls.exe
3504	takeown.exe
3828	takeown.exe
4084	icacls.exe
4788	icacls.exe
2464	icacls.exe
2252	takeown.exe
3524	takeown.exe
1640	icacls.exe
1020	takeown.exe
3304	icacls.exe
5088	takeown.exe
2792	takeown.exe
4896	icacls.exe
4244	icacls.exe
4660	icacls.exe
3872	takeown.exe
4560	icacls.exe
4180	takeown.exe
3952	icacls.exe
4116	takeown.exe
4160	takeown.exe
416	takeown.exe
1132	takeown.exe
1808	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
File created	C:\Windows\SysWOW64\bdnos.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
File opened for modification	C:\Windows\SysWOW64\bdnos.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3524	takeown.exe
Token: SeTakeOwnershipPrivilege	3828	takeown.exe
Token: SeTakeOwnershipPrivilege	4180	takeown.exe
Token: SeTakeOwnershipPrivilege	1132	takeown.exe
Token: SeTakeOwnershipPrivilege	3256	takeown.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	2124	takeown.exe
Token: SeTakeOwnershipPrivilege	4160	takeown.exe
Token: SeTakeOwnershipPrivilege	5088	takeown.exe
Token: SeTakeOwnershipPrivilege	1020	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeTakeOwnershipPrivilege	2252	takeown.exe
Token: SeTakeOwnershipPrivilege	416	takeown.exe
Token: SeTakeOwnershipPrivilege	3872	takeown.exe
Token: SeTakeOwnershipPrivilege	3504	takeown.exe
Token: SeTakeOwnershipPrivilege	2792	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

pid process

2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

pid	process
2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe

description	pid	process	target process
PID 2168 wrote to memory of 4496	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4496	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4496	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4896	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4896	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4896	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3524	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3524	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3524	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4648	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4648	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4648	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3828	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3828	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3828	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3264	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3264	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3264	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4180	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4180	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4180	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4244	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4244	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4244	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1132	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1132	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1132	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3952	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3952	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3952	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3256	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3256	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3256	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1640	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1640	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1640	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4116	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4116	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4116	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1808	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1808	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1808	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 2124	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 2124	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 2124	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 3304	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3304	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 3304	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4160	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4160	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4160	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 2584	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 2584	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 2584	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 5088	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 5088	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 5088	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4084	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4084	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 4084	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe
PID 2168 wrote to memory of 1020	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1020	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 1020	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	takeown.exe
PID 2168 wrote to memory of 4788	2168	513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
"C:\Users\Admin\AppData\Local\Temp\513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\bdnos.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4496

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\bdnos.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4896

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4648

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3264

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4244

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3952

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3304

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4084

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2464

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4624

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:416

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4004

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4660

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4560

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bdnos.exe
Filesize
68KB

MD5
07f781b7f328b7fbe798c6535c2be631

SHA1
dbd59d57a2af6b7e16ac3c599ff35870583ff641

SHA256
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589

SHA512
b35d7b13275e46fbad29e0344d5e9f9c47fc320541e34f864909c257ec7904549b603adc67ad78716575104f6f767961a421c179b72bacb93b9b10608bc3701d

Download Submit
memory/416-161-0x0000000000000000-mapping.dmp

Download
memory/1020-155-0x0000000000000000-mapping.dmp

Download
memory/1132-143-0x0000000000000000-mapping.dmp

Download
memory/1640-146-0x0000000000000000-mapping.dmp

Download
memory/1692-157-0x0000000000000000-mapping.dmp

Download
memory/1808-148-0x0000000000000000-mapping.dmp

Download
memory/1824-168-0x0000000000000000-mapping.dmp

Download
memory/2124-149-0x0000000000000000-mapping.dmp

Download
memory/2252-159-0x0000000000000000-mapping.dmp

Download
memory/2464-158-0x0000000000000000-mapping.dmp

Download
memory/2584-152-0x0000000000000000-mapping.dmp

Download
memory/2792-167-0x0000000000000000-mapping.dmp

Download
memory/3256-145-0x0000000000000000-mapping.dmp

Download
memory/3264-140-0x0000000000000000-mapping.dmp

Download
memory/3304-150-0x0000000000000000-mapping.dmp

Download
memory/3504-165-0x0000000000000000-mapping.dmp

Download
memory/3524-137-0x0000000000000000-mapping.dmp

Download
memory/3828-139-0x0000000000000000-mapping.dmp

Download
memory/3872-163-0x0000000000000000-mapping.dmp

Download
memory/3952-144-0x0000000000000000-mapping.dmp

Download
memory/4004-162-0x0000000000000000-mapping.dmp

Download
memory/4084-154-0x0000000000000000-mapping.dmp

Download
memory/4116-147-0x0000000000000000-mapping.dmp

Download
memory/4160-151-0x0000000000000000-mapping.dmp

Download
memory/4180-141-0x0000000000000000-mapping.dmp

Download
memory/4244-142-0x0000000000000000-mapping.dmp

Download
memory/4496-134-0x0000000000000000-mapping.dmp

Download
memory/4560-166-0x0000000000000000-mapping.dmp

Download
memory/4624-160-0x0000000000000000-mapping.dmp

Download
memory/4648-138-0x0000000000000000-mapping.dmp

Download
memory/4660-164-0x0000000000000000-mapping.dmp

Download
memory/4788-156-0x0000000000000000-mapping.dmp

Download
memory/4896-136-0x0000000000000000-mapping.dmp

Download
memory/5088-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads