01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787

General

Target

01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
Size

68KB
MD5

0c55e9cc0009f4988fe82c3d56364ae1
SHA1

b30ab92cef12c6c6947df445dc8fdb046f785384
SHA256

01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787
SHA512

dada2ffcf35cb29b6181dfb164b4316960c6fc6b58017ba8523ac2852f347aca78b629505a4a974b565c346adc3aa5094e432f618f062c1a4cea2e382062f454
SSDEEP

768:1l3pC6nCe+5tqup0pfXzXg4iOw/D2rRY1hv1Tl/ed45V4peiwRpRQkEps4qKgVwG:P5Hg1DyY1fTdtyezXQX3wCxfKeoKm

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
2336	icacls.exe
4908	icacls.exe
2448	takeown.exe
2332	takeown.exe
3336	takeown.exe
5112	icacls.exe
2600	icacls.exe
1684	icacls.exe
3124	icacls.exe
4788	takeown.exe
3280	takeown.exe
1296	takeown.exe
1312	icacls.exe
1464	takeown.exe
4716	icacls.exe
1588	takeown.exe
5064	takeown.exe
3676	takeown.exe
3600	takeown.exe
3684	icacls.exe
4804	takeown.exe
3684	takeown.exe
4356	takeown.exe
4372	icacls.exe
1320	icacls.exe
2020	icacls.exe
1032	icacls.exe
5112	takeown.exe
3608	takeown.exe
1132	icacls.exe
952	takeown.exe
4028	icacls.exe
2116	icacls.exe
4656	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
4372	icacls.exe
1320	icacls.exe
1296	takeown.exe
3608	takeown.exe
5112	icacls.exe
1684	icacls.exe
1464	takeown.exe
2332	takeown.exe
2020	icacls.exe
4788	takeown.exe
5064	takeown.exe
4356	takeown.exe
3676	takeown.exe
3684	takeown.exe
1312	icacls.exe
952	takeown.exe
3600	takeown.exe
4028	icacls.exe
4716	icacls.exe
3124	icacls.exe
3684	icacls.exe
4656	icacls.exe
1132	icacls.exe
2600	icacls.exe
3336	takeown.exe
4804	takeown.exe
2336	icacls.exe
2448	takeown.exe
3280	takeown.exe
2116	icacls.exe
5112	takeown.exe
1588	takeown.exe
4908	icacls.exe
1032	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
File created	C:\Windows\SysWOW64\rozy.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
File opened for modification	C:\Windows\SysWOW64\rozy.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	3684	takeown.exe
Token: SeTakeOwnershipPrivilege	5064	takeown.exe
Token: SeTakeOwnershipPrivilege	4356	takeown.exe
Token: SeTakeOwnershipPrivilege	952	takeown.exe
Token: SeTakeOwnershipPrivilege	3676	takeown.exe
Token: SeTakeOwnershipPrivilege	3600	takeown.exe
Token: SeTakeOwnershipPrivilege	1296	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	1464	takeown.exe
Token: SeTakeOwnershipPrivilege	2332	takeown.exe
Token: SeTakeOwnershipPrivilege	3336	takeown.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeTakeOwnershipPrivilege	5112	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

pid process

2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

pid	process
2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe

description	pid	process	target process
PID 2804 wrote to memory of 4804	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4804	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4804	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4656	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4656	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4656	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 3608	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3608	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3608	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1132	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1132	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1132	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1588	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1588	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1588	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 5112	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 5112	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 5112	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 3684	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3684	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3684	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4908	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4908	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4908	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 5064	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 5064	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 5064	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 2336	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 2336	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 2336	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4356	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4356	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4356	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1312	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1312	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1312	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 952	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 952	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 952	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4372	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4372	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4372	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 3676	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3676	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3676	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1320	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1320	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1320	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 3600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 3600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 2600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 2600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 2600	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 1296	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1296	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1296	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 4028	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4028	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 4028	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe
PID 2804 wrote to memory of 2448	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 2448	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 2448	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	takeown.exe
PID 2804 wrote to memory of 1684	2804	01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
"C:\Users\Admin\AppData\Local\Temp\01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\rozy.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4804

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\rozy.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4656

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5112

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4908

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2336

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4372

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1320

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3124

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1032

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rozy.exe
Filesize
68KB

MD5
0c55e9cc0009f4988fe82c3d56364ae1

SHA1
b30ab92cef12c6c6947df445dc8fdb046f785384

SHA256
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787

SHA512
dada2ffcf35cb29b6181dfb164b4316960c6fc6b58017ba8523ac2852f347aca78b629505a4a974b565c346adc3aa5094e432f618f062c1a4cea2e382062f454

Download Submit
memory/952-147-0x0000000000000000-mapping.dmp

Download
memory/1032-166-0x0000000000000000-mapping.dmp

Download
memory/1132-138-0x0000000000000000-mapping.dmp

Download
memory/1296-153-0x0000000000000000-mapping.dmp

Download
memory/1312-146-0x0000000000000000-mapping.dmp

Download
memory/1320-150-0x0000000000000000-mapping.dmp

Download
memory/1464-157-0x0000000000000000-mapping.dmp

Download
memory/1588-139-0x0000000000000000-mapping.dmp

Download
memory/1684-156-0x0000000000000000-mapping.dmp

Download
memory/2020-160-0x0000000000000000-mapping.dmp

Download
memory/2116-164-0x0000000000000000-mapping.dmp

Download
memory/2332-159-0x0000000000000000-mapping.dmp

Download
memory/2336-144-0x0000000000000000-mapping.dmp

Download
memory/2448-155-0x0000000000000000-mapping.dmp

Download
memory/2600-152-0x0000000000000000-mapping.dmp

Download
memory/3124-162-0x0000000000000000-mapping.dmp

Download
memory/3280-165-0x0000000000000000-mapping.dmp

Download
memory/3336-161-0x0000000000000000-mapping.dmp

Download
memory/3600-151-0x0000000000000000-mapping.dmp

Download
memory/3608-137-0x0000000000000000-mapping.dmp

Download
memory/3676-149-0x0000000000000000-mapping.dmp

Download
memory/3684-141-0x0000000000000000-mapping.dmp

Download
memory/3684-168-0x0000000000000000-mapping.dmp

Download
memory/4028-154-0x0000000000000000-mapping.dmp

Download
memory/4356-145-0x0000000000000000-mapping.dmp

Download
memory/4372-148-0x0000000000000000-mapping.dmp

Download
memory/4656-136-0x0000000000000000-mapping.dmp

Download
memory/4716-158-0x0000000000000000-mapping.dmp

Download
memory/4788-163-0x0000000000000000-mapping.dmp

Download
memory/4804-134-0x0000000000000000-mapping.dmp

Download
memory/4908-142-0x0000000000000000-mapping.dmp

Download
memory/5064-143-0x0000000000000000-mapping.dmp

Download
memory/5112-167-0x0000000000000000-mapping.dmp

Download
memory/5112-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads