88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29

General

Target

88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
Size

72KB
MD5

09ca2311b84a66711318fb4d2b05b8f6
SHA1

a82a0de4ca864ebf874a36becbac8df16d222d2f
SHA256

88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29
SHA512

8c796b44ae5938e2a4dee734fa607e0b49ff1ca61a29f7b76ea6294ae193e2464cffaefb845d69e00f87d0edd62f9944ed1e2d0280b22a80d5d506ff7a3141f1
SSDEEP

1536:+Uxl6Y7CJR5Dk4luQAqxkK+y0MWlK+/qItu/:++g7kSan9VIN/

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
3804	takeown.exe
1960	icacls.exe
2148	takeown.exe
3128	takeown.exe
2360	icacls.exe
2440	icacls.exe
4808	takeown.exe
4424	takeown.exe
4344	icacls.exe
4596	takeown.exe
3432	icacls.exe
3448	takeown.exe
1092	icacls.exe
1680	icacls.exe
3508	takeown.exe
4020	icacls.exe
3164	takeown.exe
1816	icacls.exe
4080	takeown.exe
1060	icacls.exe
4948	takeown.exe
1180	takeown.exe
2372	takeown.exe
1508	icacls.exe
4608	icacls.exe
1100	icacls.exe
3428	icacls.exe
4224	icacls.exe
4756	takeown.exe
1392	takeown.exe
2104	takeown.exe
3696	icacls.exe
1360	takeown.exe
3156	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
4948	takeown.exe
4344	icacls.exe
2372	takeown.exe
4608	icacls.exe
3156	icacls.exe
1392	takeown.exe
2360	icacls.exe
3432	icacls.exe
4080	takeown.exe
1092	icacls.exe
3128	takeown.exe
2104	takeown.exe
1680	icacls.exe
4424	takeown.exe
4224	icacls.exe
4596	takeown.exe
4756	takeown.exe
1060	icacls.exe
3428	icacls.exe
4020	icacls.exe
1180	takeown.exe
1360	takeown.exe
2148	takeown.exe
3508	takeown.exe
3164	takeown.exe
3696	icacls.exe
1508	icacls.exe
4808	takeown.exe
1816	icacls.exe
1100	icacls.exe
3804	takeown.exe
1960	icacls.exe
2440	icacls.exe
3448	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\vitc.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
File created	C:\Windows\SysWOW64\vitc.exe	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4808	takeown.exe
Token: SeTakeOwnershipPrivilege	4080	takeown.exe
Token: SeTakeOwnershipPrivilege	4756	takeown.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	3448	takeown.exe
Token: SeTakeOwnershipPrivilege	4948	takeown.exe
Token: SeTakeOwnershipPrivilege	2104	takeown.exe
Token: SeTakeOwnershipPrivilege	4424	takeown.exe
Token: SeTakeOwnershipPrivilege	3128	takeown.exe
Token: SeTakeOwnershipPrivilege	4596	takeown.exe
Token: SeTakeOwnershipPrivilege	3508	takeown.exe
Token: SeTakeOwnershipPrivilege	1180	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	2372	takeown.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

pid process

4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

pid	process
4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe

description	pid	process	target process
PID 4972 wrote to memory of 3804	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3804	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3804	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4608	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4608	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4608	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4808	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4808	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4808	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1960	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1960	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1960	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4080	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4080	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4080	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3156	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3156	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3156	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4756	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4756	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4756	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1816	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1816	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1816	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1392	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1392	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1392	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1100	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1100	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1100	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 2148	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 2148	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 2148	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1060	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1060	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1060	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3448	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3448	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3448	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1092	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1092	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1092	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4948	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4948	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4948	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3428	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3428	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3428	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 2104	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 2104	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 2104	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 1680	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1680	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 1680	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4424	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4424	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4424	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4344	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4344	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 4344	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe
PID 4972 wrote to memory of 3128	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3128	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 3128	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	takeown.exe
PID 4972 wrote to memory of 4224	4972	88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
"C:\Users\Admin\AppData\Local\Temp\88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\vitc.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3804

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\vitc.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4608

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3156

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1816

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1100

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1092

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3696

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4020

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2360

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3432

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vitc.exe
Filesize
72KB

MD5
09ca2311b84a66711318fb4d2b05b8f6

SHA1
a82a0de4ca864ebf874a36becbac8df16d222d2f

SHA256
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29

SHA512
8c796b44ae5938e2a4dee734fa607e0b49ff1ca61a29f7b76ea6294ae193e2464cffaefb845d69e00f87d0edd62f9944ed1e2d0280b22a80d5d506ff7a3141f1

Download Submit
memory/1060-146-0x0000000000000000-mapping.dmp

Download
memory/1092-148-0x0000000000000000-mapping.dmp

Download
memory/1100-144-0x0000000000000000-mapping.dmp

Download
memory/1180-161-0x0000000000000000-mapping.dmp

Download
memory/1360-167-0x0000000000000000-mapping.dmp

Download
memory/1392-143-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1680-152-0x0000000000000000-mapping.dmp

Download
memory/1816-142-0x0000000000000000-mapping.dmp

Download
memory/1960-138-0x0000000000000000-mapping.dmp

Download
memory/2104-151-0x0000000000000000-mapping.dmp

Download
memory/2148-145-0x0000000000000000-mapping.dmp

Download
memory/2360-162-0x0000000000000000-mapping.dmp

Download
memory/2372-165-0x0000000000000000-mapping.dmp

Download
memory/2440-164-0x0000000000000000-mapping.dmp

Download
memory/3128-155-0x0000000000000000-mapping.dmp

Download
memory/3156-140-0x0000000000000000-mapping.dmp

Download
memory/3164-163-0x0000000000000000-mapping.dmp

Download
memory/3428-150-0x0000000000000000-mapping.dmp

Download
memory/3432-166-0x0000000000000000-mapping.dmp

Download
memory/3448-147-0x0000000000000000-mapping.dmp

Download
memory/3508-159-0x0000000000000000-mapping.dmp

Download
memory/3696-158-0x0000000000000000-mapping.dmp

Download
memory/3804-134-0x0000000000000000-mapping.dmp

Download
memory/4020-160-0x0000000000000000-mapping.dmp

Download
memory/4080-139-0x0000000000000000-mapping.dmp

Download
memory/4224-156-0x0000000000000000-mapping.dmp

Download
memory/4344-154-0x0000000000000000-mapping.dmp

Download
memory/4424-153-0x0000000000000000-mapping.dmp

Download
memory/4596-157-0x0000000000000000-mapping.dmp

Download
memory/4608-136-0x0000000000000000-mapping.dmp

Download
memory/4756-141-0x0000000000000000-mapping.dmp

Download
memory/4808-137-0x0000000000000000-mapping.dmp

Download
memory/4948-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads