39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b

General

Target

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
Size

68KB
MD5

09c9cc3ad2ce8533dc525922f59ba5f1
SHA1

287b44545e7e3c350f228959675a6499d6bf4a91
SHA256

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b
SHA512

fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18
SSDEEP

768:tGv4faI/ytd7rUBTdHt+rfG6EJtbOrwcJzjIjIV/gBxHEcI9S9yoJ8q7jSpRNHYp:tGv4fa4b5Oc3awKkqGsXkA1OS4TEBO

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
1436	takeown.exe
3104	takeown.exe
3148	icacls.exe
1792	takeown.exe
856	icacls.exe
4020	icacls.exe
3480	takeown.exe
4388	takeown.exe
4924	icacls.exe
4652	takeown.exe
604	icacls.exe
2220	takeown.exe
5096	icacls.exe
3500	icacls.exe
4548	icacls.exe
3844	icacls.exe
4680	icacls.exe
1572	icacls.exe
2860	takeown.exe
4208	takeown.exe
4296	takeown.exe
424	takeown.exe
3548	icacls.exe
1844	icacls.exe
3596	icacls.exe
3840	takeown.exe
4948	takeown.exe
4844	icacls.exe
4492	icacls.exe
2440	takeown.exe
1512	takeown.exe
4468	takeown.exe
3324	icacls.exe
4272	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
5096	icacls.exe
3596	icacls.exe
4492	icacls.exe
856	icacls.exe
3844	icacls.exe
3480	takeown.exe
4388	takeown.exe
1572	icacls.exe
3104	takeown.exe
4272	takeown.exe
3548	icacls.exe
4020	icacls.exe
4680	icacls.exe
3324	icacls.exe
3148	icacls.exe
424	takeown.exe
2860	takeown.exe
4924	icacls.exe
2440	takeown.exe
604	icacls.exe
4844	icacls.exe
1792	takeown.exe
4208	takeown.exe
1512	takeown.exe
4948	takeown.exe
2220	takeown.exe
1436	takeown.exe
4296	takeown.exe
4652	takeown.exe
4548	icacls.exe
4468	takeown.exe
3500	icacls.exe
3840	takeown.exe
1844	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File created	C:\Windows\SysWOW64\bbvcb.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File opened for modification	C:\Windows\SysWOW64\bbvcb.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4208	takeown.exe
Token: SeTakeOwnershipPrivilege	4652	takeown.exe
Token: SeTakeOwnershipPrivilege	4296	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	3840	takeown.exe
Token: SeTakeOwnershipPrivilege	4948	takeown.exe
Token: SeTakeOwnershipPrivilege	3104	takeown.exe
Token: SeTakeOwnershipPrivilege	424	takeown.exe
Token: SeTakeOwnershipPrivilege	4272	takeown.exe
Token: SeTakeOwnershipPrivilege	2220	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	1436	takeown.exe
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	3480	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

pid process

4496 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

pid	process
4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

description	pid	process	target process
PID 4496 wrote to memory of 2440	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 2440	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 2440	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3324	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3324	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3324	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4208	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4208	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4208	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3500	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3500	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3500	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4652	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4652	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4652	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 604	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 604	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 604	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4296	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4296	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4296	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4548	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4548	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4548	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 1512	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 1512	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 1512	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 1844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 1844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 1844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3840	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3840	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3840	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 1572	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 1572	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 1572	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4948	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4948	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4948	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3596	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3596	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3596	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3104	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3104	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3104	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 3148	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3148	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 3148	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 424	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 424	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 424	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4844	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4272	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4272	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4272	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 4492	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4492	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 4492	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 4496 wrote to memory of 2220	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 2220	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 2220	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 4496 wrote to memory of 5096	4496	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
"C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\bbvcb.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\bbvcb.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3324

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3500

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:604

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4548

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1844

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3596

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4844

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4492

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5096

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:856

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3548

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3844

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4020

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4680

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bbvcb.exe
Filesize
68KB

MD5
09c9cc3ad2ce8533dc525922f59ba5f1

SHA1
287b44545e7e3c350f228959675a6499d6bf4a91

SHA256
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b

SHA512
fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18

Download Submit
memory/424-151-0x0000000000000000-mapping.dmp

Download
memory/604-140-0x0000000000000000-mapping.dmp

Download
memory/856-158-0x0000000000000000-mapping.dmp

Download
memory/1436-161-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x0000000000000000-mapping.dmp

Download
memory/1572-146-0x0000000000000000-mapping.dmp

Download
memory/1792-157-0x0000000000000000-mapping.dmp

Download
memory/1844-144-0x0000000000000000-mapping.dmp

Download
memory/2220-155-0x0000000000000000-mapping.dmp

Download
memory/2440-134-0x0000000000000000-mapping.dmp

Download
memory/2860-163-0x0000000000000000-mapping.dmp

Download
memory/3104-149-0x0000000000000000-mapping.dmp

Download
memory/3148-150-0x0000000000000000-mapping.dmp

Download
memory/3324-136-0x0000000000000000-mapping.dmp

Download
memory/3480-165-0x0000000000000000-mapping.dmp

Download
memory/3500-138-0x0000000000000000-mapping.dmp

Download
memory/3548-160-0x0000000000000000-mapping.dmp

Download
memory/3596-148-0x0000000000000000-mapping.dmp

Download
memory/3840-145-0x0000000000000000-mapping.dmp

Download
memory/3844-162-0x0000000000000000-mapping.dmp

Download
memory/4020-164-0x0000000000000000-mapping.dmp

Download
memory/4208-137-0x0000000000000000-mapping.dmp

Download
memory/4272-153-0x0000000000000000-mapping.dmp

Download
memory/4296-141-0x0000000000000000-mapping.dmp

Download
memory/4388-167-0x0000000000000000-mapping.dmp

Download
memory/4468-159-0x0000000000000000-mapping.dmp

Download
memory/4492-154-0x0000000000000000-mapping.dmp

Download
memory/4548-142-0x0000000000000000-mapping.dmp

Download
memory/4652-139-0x0000000000000000-mapping.dmp

Download
memory/4680-166-0x0000000000000000-mapping.dmp

Download
memory/4844-152-0x0000000000000000-mapping.dmp

Download
memory/4924-168-0x0000000000000000-mapping.dmp

Download
memory/4948-147-0x0000000000000000-mapping.dmp

Download
memory/5096-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads