facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42

General

Target

facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
Size

72KB
MD5

31620df922955bc7ac7989e4a7fde6e0
SHA1

17a4f735cf75dbf35d7e110221711b7378d0ca1e
SHA256

facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42
SHA512

a56e78860f49a9ecb1f11334a83b8399865a313c769f9161acaec79b293a9257a5955d3337a59ea9f10b3fcd948517ec4365e422b67b50813347f81345441dc1
SSDEEP

1536:sY2GmbO6afLN1IylGzV6/+CiHgRqL6Ihw:sYZmy6aR1xlGzV6GXL6cw

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
4608	takeown.exe
4212	takeown.exe
5016	icacls.exe
4728	takeown.exe
4528	takeown.exe
2676	icacls.exe
4716	icacls.exe
2592	icacls.exe
1648	icacls.exe
4892	icacls.exe
696	takeown.exe
3772	icacls.exe
3040	takeown.exe
1936	icacls.exe
4024	takeown.exe
368	icacls.exe
1572	takeown.exe
3512	icacls.exe
1468	icacls.exe
2748	icacls.exe
4276	takeown.exe
2220	icacls.exe
2732	takeown.exe
1892	icacls.exe
4220	icacls.exe
4816	icacls.exe
4120	takeown.exe
824	takeown.exe
380	takeown.exe
512	takeown.exe
4484	icacls.exe
3388	takeown.exe
804	takeown.exe
4988	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4528	takeown.exe
3388	takeown.exe
2748	icacls.exe
804	takeown.exe
2592	icacls.exe
4220	icacls.exe
696	takeown.exe
3772	icacls.exe
4484	icacls.exe
1936	icacls.exe
4276	takeown.exe
4716	icacls.exe
4608	takeown.exe
4728	takeown.exe
2676	icacls.exe
512	takeown.exe
4024	takeown.exe
1648	icacls.exe
1468	icacls.exe
4892	icacls.exe
1892	icacls.exe
4816	icacls.exe
1572	takeown.exe
5016	icacls.exe
824	takeown.exe
3512	icacls.exe
2732	takeown.exe
368	icacls.exe
4212	takeown.exe
2220	icacls.exe
4120	takeown.exe
380	takeown.exe
3040	takeown.exe
4988	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

description	ioc	process
File created	C:\Windows\SysWOW64\smlx.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
File opened for modification	C:\Windows\SysWOW64\smlx.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4728	takeown.exe
Token: SeTakeOwnershipPrivilege	4528	takeown.exe
Token: SeTakeOwnershipPrivilege	4120	takeown.exe
Token: SeTakeOwnershipPrivilege	824	takeown.exe
Token: SeTakeOwnershipPrivilege	380	takeown.exe
Token: SeTakeOwnershipPrivilege	2732	takeown.exe
Token: SeTakeOwnershipPrivilege	512	takeown.exe
Token: SeTakeOwnershipPrivilege	3388	takeown.exe
Token: SeTakeOwnershipPrivilege	804	takeown.exe
Token: SeTakeOwnershipPrivilege	3040	takeown.exe
Token: SeTakeOwnershipPrivilege	4988	takeown.exe
Token: SeTakeOwnershipPrivilege	4024	takeown.exe
Token: SeTakeOwnershipPrivilege	4608	takeown.exe
Token: SeTakeOwnershipPrivilege	4212	takeown.exe
Token: SeTakeOwnershipPrivilege	4276	takeown.exe
Token: SeTakeOwnershipPrivilege	696	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

pid process

1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

pid	process
1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe

description	pid	process	target process
PID 1692 wrote to memory of 1572	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 1572	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 1572	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 5016	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 5016	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 5016	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4728	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4728	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4728	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2220	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2220	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2220	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4528	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4528	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4528	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4484	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4484	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4484	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4120	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4120	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4120	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 1648	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 1648	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 1648	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 824	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 824	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 824	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 3512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 3512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 3512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 380	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 380	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 380	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2676	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2676	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2676	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2732	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2732	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2732	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4716	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4716	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4716	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 512	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 1468	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 1468	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 1468	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 3388	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 3388	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 3388	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2748	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2748	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 2748	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 804	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 804	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 804	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 4892	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4892	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 4892	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe
PID 1692 wrote to memory of 3040	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 3040	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 3040	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	takeown.exe
PID 1692 wrote to memory of 2592	1692	facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
"C:\Users\Admin\AppData\Local\Temp\facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\smlx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\smlx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5016

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4484

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3512

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2748

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4892

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2592

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1936

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:368

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4816

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\smlx.exe
Filesize
72KB

MD5
31620df922955bc7ac7989e4a7fde6e0

SHA1
17a4f735cf75dbf35d7e110221711b7378d0ca1e

SHA256
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42

SHA512
a56e78860f49a9ecb1f11334a83b8399865a313c769f9161acaec79b293a9257a5955d3337a59ea9f10b3fcd948517ec4365e422b67b50813347f81345441dc1

Download Submit
memory/368-161-0x0000000000000000-mapping.dmp

Download
memory/380-146-0x0000000000000000-mapping.dmp

Download
memory/512-150-0x0000000000000000-mapping.dmp

Download
memory/696-168-0x0000000000000000-mapping.dmp

Download
memory/804-154-0x0000000000000000-mapping.dmp

Download
memory/824-144-0x0000000000000000-mapping.dmp

Download
memory/1468-151-0x0000000000000000-mapping.dmp

Download
memory/1572-135-0x0000000000000000-mapping.dmp

Download
memory/1648-143-0x0000000000000000-mapping.dmp

Download
memory/1892-163-0x0000000000000000-mapping.dmp

Download
memory/1936-159-0x0000000000000000-mapping.dmp

Download
memory/2220-139-0x0000000000000000-mapping.dmp

Download
memory/2592-157-0x0000000000000000-mapping.dmp

Download
memory/2676-147-0x0000000000000000-mapping.dmp

Download
memory/2732-148-0x0000000000000000-mapping.dmp

Download
memory/2748-153-0x0000000000000000-mapping.dmp

Download
memory/3040-156-0x0000000000000000-mapping.dmp

Download
memory/3388-152-0x0000000000000000-mapping.dmp

Download
memory/3512-145-0x0000000000000000-mapping.dmp

Download
memory/3772-169-0x0000000000000000-mapping.dmp

Download
memory/4024-160-0x0000000000000000-mapping.dmp

Download
memory/4120-142-0x0000000000000000-mapping.dmp

Download
memory/4212-164-0x0000000000000000-mapping.dmp

Download
memory/4220-167-0x0000000000000000-mapping.dmp

Download
memory/4276-166-0x0000000000000000-mapping.dmp

Download
memory/4484-141-0x0000000000000000-mapping.dmp

Download
memory/4528-140-0x0000000000000000-mapping.dmp

Download
memory/4608-162-0x0000000000000000-mapping.dmp

Download
memory/4716-149-0x0000000000000000-mapping.dmp

Download
memory/4728-138-0x0000000000000000-mapping.dmp

Download
memory/4816-165-0x0000000000000000-mapping.dmp

Download
memory/4892-155-0x0000000000000000-mapping.dmp

Download
memory/4988-158-0x0000000000000000-mapping.dmp

Download
memory/5016-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads