aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115

Analysis

max time kernel
164s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
Size

68KB
MD5

06e2bd79a1367dd6f114da4d8643e111
SHA1

581154dfcb968c8e3bdbccbda1c91b30e73711e1
SHA256

aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115
SHA512

e7654175fec67810bb56740d25bd2d5a6319d6df853b76b69b0b5551f8761fe009829994cf4b39578224ae542652864233e46db6162e1b43128beed315363d51
SSDEEP

768:uXHeO9zRdxHhIUthktJxetK7qGaEqWBqenLuP+CmYV3wafxKEVKy8r3kVfV3cjE8:ctY95aENq+9Y9wafikVNMQkT

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
916	icacls.exe
3144	takeown.exe
4552	takeown.exe
1720	icacls.exe
4300	takeown.exe
4780	takeown.exe
4060	takeown.exe
1684	icacls.exe
696	icacls.exe
3916	takeown.exe
4752	takeown.exe
4992	icacls.exe
4912	takeown.exe
5056	icacls.exe
4468	takeown.exe
868	icacls.exe
228	takeown.exe
3208	takeown.exe
1604	takeown.exe
1192	icacls.exe
2260	icacls.exe
4548	icacls.exe
3324	icacls.exe
2936	takeown.exe
2880	takeown.exe
3868	icacls.exe
4140	icacls.exe
2100	takeown.exe
3844	takeown.exe
540	icacls.exe
3976	icacls.exe
1012	icacls.exe
4896	icacls.exe
692	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2880	takeown.exe
4912	takeown.exe
692	takeown.exe
4780	takeown.exe
2100	takeown.exe
868	icacls.exe
3208	takeown.exe
3868	icacls.exe
4548	icacls.exe
4552	takeown.exe
1720	icacls.exe
5056	icacls.exe
4752	takeown.exe
540	icacls.exe
2936	takeown.exe
4060	takeown.exe
4992	icacls.exe
228	takeown.exe
3844	takeown.exe
3916	takeown.exe
2260	icacls.exe
4300	takeown.exe
3976	icacls.exe
4140	icacls.exe
916	icacls.exe
1604	takeown.exe
3144	takeown.exe
1012	icacls.exe
3324	icacls.exe
4896	icacls.exe
1192	icacls.exe
1684	icacls.exe
4468	takeown.exe
696	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

description	ioc	process
File created	C:\Windows\SysWOW64\bwwx.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
File opened for modification	C:\Windows\SysWOW64\bwwx.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4912	takeown.exe
Token: SeTakeOwnershipPrivilege	692	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	228	takeown.exe
Token: SeTakeOwnershipPrivilege	3208	takeown.exe
Token: SeTakeOwnershipPrivilege	4300	takeown.exe
Token: SeTakeOwnershipPrivilege	3844	takeown.exe
Token: SeTakeOwnershipPrivilege	1604	takeown.exe
Token: SeTakeOwnershipPrivilege	3144	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	4752	takeown.exe
Token: SeTakeOwnershipPrivilege	4552	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	4780	takeown.exe
Token: SeTakeOwnershipPrivilege	4060	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

pid process

3420 aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

pid	process
3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe

description	pid	process	target process
PID 3420 wrote to memory of 2880	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 2880	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 2880	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 1192	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 1192	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 1192	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 4912	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4912	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4912	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 5056	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 5056	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 5056	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 692	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 692	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 692	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 1684	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 1684	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 1684	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 4468	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4468	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4468	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4992	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 4992	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 4992	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 2100	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 2100	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 2100	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 228	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 228	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 228	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 696	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 696	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 696	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3208	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3208	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3208	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 2260	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 2260	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 2260	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 4300	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4300	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4300	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3976	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3976	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3976	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3844	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3844	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3844	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 916	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 916	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 916	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 1604	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 1604	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 1604	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3868	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe
PID 3420 wrote to memory of 3144	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3144	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 3144	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	takeown.exe
PID 3420 wrote to memory of 4548	3420	aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe
"C:\Users\Admin\AppData\Local\Temp\aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\bwwx.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2880
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\bwwx.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1192
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5056
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1684
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4992
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:868
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:696
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2260
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3976
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:916
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3868
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4548
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4140
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1012
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3324
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4896
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:540
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bwwx.exe

Filesize
68KB

MD5
06e2bd79a1367dd6f114da4d8643e111

SHA1
581154dfcb968c8e3bdbccbda1c91b30e73711e1

SHA256
aaa2bb4633a740ab001960de4b9c07a60b42d4621f5f78c916041a69dd839115

SHA512
e7654175fec67810bb56740d25bd2d5a6319d6df853b76b69b0b5551f8761fe009829994cf4b39578224ae542652864233e46db6162e1b43128beed315363d51

Download Submit
memory/228-145-0x0000000000000000-mapping.dmp

Download
memory/540-166-0x0000000000000000-mapping.dmp

Download
memory/692-139-0x0000000000000000-mapping.dmp

Download
memory/696-146-0x0000000000000000-mapping.dmp

Download
memory/868-144-0x0000000000000000-mapping.dmp

Download
memory/916-152-0x0000000000000000-mapping.dmp

Download
memory/1012-160-0x0000000000000000-mapping.dmp

Download
memory/1192-136-0x0000000000000000-mapping.dmp

Download
memory/1604-153-0x0000000000000000-mapping.dmp

Download
memory/1684-140-0x0000000000000000-mapping.dmp

Download
memory/1720-168-0x0000000000000000-mapping.dmp

Download
memory/2100-143-0x0000000000000000-mapping.dmp

Download
memory/2260-148-0x0000000000000000-mapping.dmp

Download
memory/2880-134-0x0000000000000000-mapping.dmp

Download
memory/2936-163-0x0000000000000000-mapping.dmp

Download
memory/3144-155-0x0000000000000000-mapping.dmp

Download
memory/3208-147-0x0000000000000000-mapping.dmp

Download
memory/3324-162-0x0000000000000000-mapping.dmp

Download
memory/3844-151-0x0000000000000000-mapping.dmp

Download
memory/3868-154-0x0000000000000000-mapping.dmp

Download
memory/3916-157-0x0000000000000000-mapping.dmp

Download
memory/3976-150-0x0000000000000000-mapping.dmp

Download
memory/4060-167-0x0000000000000000-mapping.dmp

Download
memory/4140-158-0x0000000000000000-mapping.dmp

Download
memory/4300-149-0x0000000000000000-mapping.dmp

Download
memory/4468-141-0x0000000000000000-mapping.dmp

Download
memory/4548-156-0x0000000000000000-mapping.dmp

Download
memory/4552-161-0x0000000000000000-mapping.dmp

Download
memory/4752-159-0x0000000000000000-mapping.dmp

Download
memory/4780-165-0x0000000000000000-mapping.dmp

Download
memory/4896-164-0x0000000000000000-mapping.dmp

Download
memory/4912-137-0x0000000000000000-mapping.dmp

Download
memory/4992-142-0x0000000000000000-mapping.dmp

Download
memory/5056-138-0x0000000000000000-mapping.dmp

Download