dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3

General

Target

dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
Size

76KB
MD5

098a49e0eea24ae4b9c8f01c4ecc6410
SHA1

8a16646bfcc53306a7111deb7a7c2fc57a052146
SHA256

dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3
SHA512

bcbcecf70a19440a2a912a82999466c3ae0d7ed606b103c04b3e2cd7ade0c39ec03b3e3f4e699dfca8abc1339b19b991a0083a8690e0b8c45cc759474f88b681
SSDEEP

768:AjpsO93EjYWI5msZASgPFnov7RrSUsuj0t5VUYStWsLZE8ZimI+uFFeVsVX1:Ajp1tQu7RxOU6vnCE1

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
5060	takeown.exe
1828	takeown.exe
2224	takeown.exe
2564	icacls.exe
4408	icacls.exe
3492	icacls.exe
5092	icacls.exe
5080	takeown.exe
2560	icacls.exe
2488	takeown.exe
4648	takeown.exe
312	takeown.exe
3796	icacls.exe
2564	icacls.exe
2328	takeown.exe
3428	icacls.exe
308	icacls.exe
572	takeown.exe
1484	icacls.exe
4280	icacls.exe
5080	takeown.exe
1132	icacls.exe
4692	takeown.exe
2720	icacls.exe
4616	takeown.exe
1416	takeown.exe
4296	takeown.exe
2196	takeown.exe
2276	icacls.exe
4356	icacls.exe
4152	icacls.exe
4224	icacls.exe
2676	takeown.exe
804	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
2564	icacls.exe
2488	takeown.exe
572	takeown.exe
804	takeown.exe
3796	icacls.exe
1416	takeown.exe
5092	icacls.exe
4280	icacls.exe
2196	takeown.exe
4152	icacls.exe
1828	takeown.exe
5080	takeown.exe
2564	icacls.exe
4648	takeown.exe
1484	icacls.exe
312	takeown.exe
2276	icacls.exe
1132	icacls.exe
3492	icacls.exe
4296	takeown.exe
4616	takeown.exe
2560	icacls.exe
308	icacls.exe
4692	takeown.exe
4408	icacls.exe
2224	takeown.exe
5080	takeown.exe
3428	icacls.exe
5060	takeown.exe
2676	takeown.exe
2720	icacls.exe
2328	takeown.exe
4356	icacls.exe
4224	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\irikx.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
File created	C:\Windows\SysWOW64\irikx.exe	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4616	takeown.exe
Token: SeTakeOwnershipPrivilege	2488	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	5060	takeown.exe
Token: SeTakeOwnershipPrivilege	4692	takeown.exe
Token: SeTakeOwnershipPrivilege	4648	takeown.exe
Token: SeTakeOwnershipPrivilege	1828	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	4296	takeown.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	312	takeown.exe
Token: SeTakeOwnershipPrivilege	804	takeown.exe
Token: SeTakeOwnershipPrivilege	2196	takeown.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

pid process

4832 dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

pid	process
4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe

description	pid	process	target process
PID 4832 wrote to memory of 5080	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 5080	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 5080	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2564	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2564	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2564	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4616	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4616	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4616	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2560	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2560	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2560	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2488	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2488	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2488	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 1132	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 1132	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 1132	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2328	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2328	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2328	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 3428	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 3428	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 3428	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 5060	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 5060	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 5060	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 308	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 308	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 308	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4692	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4692	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4692	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4356	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4356	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4356	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4648	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4648	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4648	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4152	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4152	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4152	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 1828	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 1828	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 1828	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4408	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4408	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4408	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 1416	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 1416	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 1416	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 3492	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 3492	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 3492	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4296	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4296	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4296	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 4224	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4224	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 4224	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe
PID 4832 wrote to memory of 2676	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2676	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2676	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	takeown.exe
PID 4832 wrote to memory of 2720	4832	dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe
"C:\Users\Admin\AppData\Local\Temp\dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\irikx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5080

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\irikx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2560

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:308

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4356

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4152

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3492

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5092

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4280

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3796

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\irikx.exe
Filesize
76KB

MD5
098a49e0eea24ae4b9c8f01c4ecc6410

SHA1
8a16646bfcc53306a7111deb7a7c2fc57a052146

SHA256
dc8a0f9420ecd55c40fbdde0d237c5f997f6703fef6e60a66108163d10de97c3

SHA512
bcbcecf70a19440a2a912a82999466c3ae0d7ed606b103c04b3e2cd7ade0c39ec03b3e3f4e699dfca8abc1339b19b991a0083a8690e0b8c45cc759474f88b681

Download Submit
memory/308-144-0x0000000000000000-mapping.dmp

Download
memory/312-161-0x0000000000000000-mapping.dmp

Download
memory/572-157-0x0000000000000000-mapping.dmp

Download
memory/804-163-0x0000000000000000-mapping.dmp

Download
memory/1132-140-0x0000000000000000-mapping.dmp

Download
memory/1416-151-0x0000000000000000-mapping.dmp

Download
memory/1484-158-0x0000000000000000-mapping.dmp

Download
memory/1828-149-0x0000000000000000-mapping.dmp

Download
memory/2196-165-0x0000000000000000-mapping.dmp

Download
memory/2224-159-0x0000000000000000-mapping.dmp

Download
memory/2276-166-0x0000000000000000-mapping.dmp

Download
memory/2328-141-0x0000000000000000-mapping.dmp

Download
memory/2488-139-0x0000000000000000-mapping.dmp

Download
memory/2560-138-0x0000000000000000-mapping.dmp

Download
memory/2564-168-0x0000000000000000-mapping.dmp

Download
memory/2564-136-0x0000000000000000-mapping.dmp

Download
memory/2676-155-0x0000000000000000-mapping.dmp

Download
memory/2720-156-0x0000000000000000-mapping.dmp

Download
memory/3428-142-0x0000000000000000-mapping.dmp

Download
memory/3492-152-0x0000000000000000-mapping.dmp

Download
memory/3796-164-0x0000000000000000-mapping.dmp

Download
memory/4152-148-0x0000000000000000-mapping.dmp

Download
memory/4224-154-0x0000000000000000-mapping.dmp

Download
memory/4280-162-0x0000000000000000-mapping.dmp

Download
memory/4296-153-0x0000000000000000-mapping.dmp

Download
memory/4356-146-0x0000000000000000-mapping.dmp

Download
memory/4408-150-0x0000000000000000-mapping.dmp

Download
memory/4616-137-0x0000000000000000-mapping.dmp

Download
memory/4648-147-0x0000000000000000-mapping.dmp

Download
memory/4692-145-0x0000000000000000-mapping.dmp

Download
memory/5060-143-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download
memory/5080-167-0x0000000000000000-mapping.dmp

Download
memory/5092-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads