3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec

General

Target

3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
Size

68KB
MD5

0cab7ae738d38cd1696b4d11ccb1c6f1
SHA1

1db970ba877f7cb21667ef1e5f4e4d19a04775f8
SHA256

3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec
SHA512

ab9bb42929a8f8d6d04d9d946caa53bf9b06ad2ddd7957d73ebb0153820614e6ed4da76265882cc8ebabef88d815d4514d7881226ecc44f25f7416be2910df54
SSDEEP

768:sYDBx5I5HbkNc7Rhb+AupEKshmpmAg28Oc2JAp+T5b889kwAEVKoPCpktqxJMVZ9:sOBwFk/ASV/mn/O9kuE/npirLVZy+4a

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
1408	takeown.exe
4224	icacls.exe
4452	icacls.exe
3848	icacls.exe
644	icacls.exe
1576	icacls.exe
1984	takeown.exe
4564	icacls.exe
3588	takeown.exe
2376	icacls.exe
4644	takeown.exe
2992	icacls.exe
2264	takeown.exe
1836	icacls.exe
908	takeown.exe
3372	takeown.exe
1612	icacls.exe
3880	icacls.exe
2772	takeown.exe
3112	icacls.exe
1756	icacls.exe
3240	takeown.exe
4844	icacls.exe
316	takeown.exe
1872	takeown.exe
3696	takeown.exe
448	takeown.exe
4836	icacls.exe
5032	takeown.exe
4572	icacls.exe
1036	takeown.exe
4708	takeown.exe
2492	takeown.exe
3604	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
3588	takeown.exe
3112	icacls.exe
1576	icacls.exe
2992	icacls.exe
4572	icacls.exe
3848	icacls.exe
4708	takeown.exe
644	icacls.exe
4644	takeown.exe
1836	icacls.exe
2772	takeown.exe
2492	takeown.exe
3372	takeown.exe
4564	icacls.exe
3240	takeown.exe
5032	takeown.exe
908	takeown.exe
2376	icacls.exe
4836	icacls.exe
1612	icacls.exe
316	takeown.exe
3696	takeown.exe
4452	icacls.exe
4844	icacls.exe
1872	takeown.exe
1408	takeown.exe
3604	icacls.exe
4224	icacls.exe
448	takeown.exe
1036	takeown.exe
1984	takeown.exe
3880	icacls.exe
2264	takeown.exe
1756	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
File created	C:\Windows\SysWOW64\abim.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
File opened for modification	C:\Windows\SysWOW64\abim.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	908	takeown.exe
Token: SeTakeOwnershipPrivilege	448	takeown.exe
Token: SeTakeOwnershipPrivilege	3588	takeown.exe
Token: SeTakeOwnershipPrivilege	4644	takeown.exe
Token: SeTakeOwnershipPrivilege	1036	takeown.exe
Token: SeTakeOwnershipPrivilege	4708	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	316	takeown.exe
Token: SeTakeOwnershipPrivilege	1872	takeown.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	1408	takeown.exe
Token: SeTakeOwnershipPrivilege	3696	takeown.exe
Token: SeTakeOwnershipPrivilege	3240	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

pid process

2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

pid	process
2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe

description	pid	process	target process
PID 2732 wrote to memory of 5032	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 5032	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 5032	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4224	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4224	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4224	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 2772	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 2772	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 2772	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4572	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4572	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4572	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 908	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 908	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 908	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4452	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4452	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4452	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 448	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 448	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 448	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3848	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3848	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3848	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3588	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3588	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3588	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 2376	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 2376	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 2376	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4836	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4836	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4836	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 1036	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1036	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1036	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4844	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4844	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4844	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 4708	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4708	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 4708	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 644	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3372	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3372	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3372	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 3112	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3112	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 3112	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 2492	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 2492	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 2492	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1576	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 1576	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 1576	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe
PID 2732 wrote to memory of 1984	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1984	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1984	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	takeown.exe
PID 2732 wrote to memory of 1612	2732	3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
"C:\Users\Admin\AppData\Local\Temp\3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\abim.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5032

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\abim.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4572

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4452

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3848

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2376

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4844

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:644

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3112

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2992

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3880

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\abim.exe
Filesize
68KB

MD5
0cab7ae738d38cd1696b4d11ccb1c6f1

SHA1
1db970ba877f7cb21667ef1e5f4e4d19a04775f8

SHA256
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec

SHA512
ab9bb42929a8f8d6d04d9d946caa53bf9b06ad2ddd7957d73ebb0153820614e6ed4da76265882cc8ebabef88d815d4514d7881226ecc44f25f7416be2910df54

Download Submit
memory/316-157-0x0000000000000000-mapping.dmp

Download
memory/448-141-0x0000000000000000-mapping.dmp

Download
memory/644-150-0x0000000000000000-mapping.dmp

Download
memory/908-139-0x0000000000000000-mapping.dmp

Download
memory/1036-147-0x0000000000000000-mapping.dmp

Download
memory/1408-163-0x0000000000000000-mapping.dmp

Download
memory/1576-154-0x0000000000000000-mapping.dmp

Download
memory/1612-156-0x0000000000000000-mapping.dmp

Download
memory/1756-166-0x0000000000000000-mapping.dmp

Download
memory/1836-164-0x0000000000000000-mapping.dmp

Download
memory/1872-159-0x0000000000000000-mapping.dmp

Download
memory/1984-155-0x0000000000000000-mapping.dmp

Download
memory/2264-161-0x0000000000000000-mapping.dmp

Download
memory/2376-144-0x0000000000000000-mapping.dmp

Download
memory/2492-153-0x0000000000000000-mapping.dmp

Download
memory/2772-137-0x0000000000000000-mapping.dmp

Download
memory/2992-158-0x0000000000000000-mapping.dmp

Download
memory/3112-152-0x0000000000000000-mapping.dmp

Download
memory/3240-167-0x0000000000000000-mapping.dmp

Download
memory/3372-151-0x0000000000000000-mapping.dmp

Download
memory/3588-143-0x0000000000000000-mapping.dmp

Download
memory/3604-168-0x0000000000000000-mapping.dmp

Download
memory/3696-165-0x0000000000000000-mapping.dmp

Download
memory/3848-142-0x0000000000000000-mapping.dmp

Download
memory/3880-160-0x0000000000000000-mapping.dmp

Download
memory/4224-136-0x0000000000000000-mapping.dmp

Download
memory/4452-140-0x0000000000000000-mapping.dmp

Download
memory/4564-162-0x0000000000000000-mapping.dmp

Download
memory/4572-138-0x0000000000000000-mapping.dmp

Download
memory/4644-145-0x0000000000000000-mapping.dmp

Download
memory/4708-149-0x0000000000000000-mapping.dmp

Download
memory/4836-146-0x0000000000000000-mapping.dmp

Download
memory/4844-148-0x0000000000000000-mapping.dmp

Download
memory/5032-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads