134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075

General

Target

134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
Size

72KB
MD5

0ce83cefec533da1b55a19fb5fbc5a91
SHA1

274d8fadc082bad379f72e459b6be282db079aee
SHA256

134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075
SHA512

0fd2130f2f1ff2f276b93272e688d062429b3fe614525b6716a9ac797e8e240eb38bbfc6ae2ce9e3f01411175da63fc5eba7a0c3960e89a56f2c75f7f98746dc
SSDEEP

1536:1aO7qWmNYhwMLeOB4NGMciVOwRRl7hXXjp:1thwMVTiVOwRDdV

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
2172	takeown.exe
4328	icacls.exe
4112	takeown.exe
2140	icacls.exe
2980	takeown.exe
2760	takeown.exe
3924	takeown.exe
4892	icacls.exe
4176	icacls.exe
3656	takeown.exe
2392	takeown.exe
3940	takeown.exe
4016	icacls.exe
2400	icacls.exe
3640	icacls.exe
3752	icacls.exe
3976	icacls.exe
2584	icacls.exe
4400	takeown.exe
1724	takeown.exe
1216	icacls.exe
888	icacls.exe
3464	takeown.exe
1956	icacls.exe
4600	takeown.exe
2416	icacls.exe
3880	takeown.exe
3808	takeown.exe
4144	takeown.exe
4760	takeown.exe
3388	takeown.exe
1508	icacls.exe
2088	icacls.exe
2936	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
888	icacls.exe
2392	takeown.exe
2400	icacls.exe
1956	icacls.exe
4600	takeown.exe
3752	icacls.exe
2760	takeown.exe
2416	icacls.exe
4892	icacls.exe
4176	icacls.exe
3388	takeown.exe
3880	takeown.exe
3656	takeown.exe
4760	takeown.exe
3976	icacls.exe
2172	takeown.exe
4016	icacls.exe
2936	icacls.exe
4144	takeown.exe
3924	takeown.exe
2140	icacls.exe
3808	takeown.exe
1508	icacls.exe
4328	icacls.exe
4112	takeown.exe
3640	icacls.exe
2980	takeown.exe
2584	icacls.exe
3464	takeown.exe
1724	takeown.exe
1216	icacls.exe
2088	icacls.exe
4400	takeown.exe
3940	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
File created	C:\Windows\SysWOW64\rwela.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
File opened for modification	C:\Windows\SysWOW64\rwela.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4112	takeown.exe
Token: SeTakeOwnershipPrivilege	4600	takeown.exe
Token: SeTakeOwnershipPrivilege	4760	takeown.exe
Token: SeTakeOwnershipPrivilege	3924	takeown.exe
Token: SeTakeOwnershipPrivilege	3388	takeown.exe
Token: SeTakeOwnershipPrivilege	2980	takeown.exe
Token: SeTakeOwnershipPrivilege	2760	takeown.exe
Token: SeTakeOwnershipPrivilege	2172	takeown.exe
Token: SeTakeOwnershipPrivilege	3880	takeown.exe
Token: SeTakeOwnershipPrivilege	4400	takeown.exe
Token: SeTakeOwnershipPrivilege	3808	takeown.exe
Token: SeTakeOwnershipPrivilege	3656	takeown.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeTakeOwnershipPrivilege	4144	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe
Token: SeTakeOwnershipPrivilege	3464	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

pid process

4632 134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

pid	process
4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe

description	pid	process	target process
PID 4632 wrote to memory of 1724	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 1724	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 1724	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4328	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4328	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4328	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4112	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4112	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4112	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4176	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4176	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4176	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4600	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4600	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4600	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 1216	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 1216	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 1216	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3640	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3640	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3640	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3924	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3924	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3924	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3752	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3752	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3752	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3388	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3388	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3388	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2140	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2140	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2140	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2980	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2980	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2980	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3976	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3976	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3976	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2760	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2416	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2416	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2416	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2172	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2172	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2172	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4892	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4892	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4892	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 3880	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3880	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 3880	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 2584	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2584	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 2584	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe
PID 4632 wrote to memory of 4400	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4400	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4400	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	takeown.exe
PID 4632 wrote to memory of 4016	4632	134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe
"C:\Users\Admin\AppData\Local\Temp\134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\rwela.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1724

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\rwela.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4328

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4176

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1216

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3640

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2140

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3976

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2416

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4892

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4016

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2936

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:888

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2400

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2088

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rwela.exe
Filesize
72KB

MD5
0ce83cefec533da1b55a19fb5fbc5a91

SHA1
274d8fadc082bad379f72e459b6be282db079aee

SHA256
134067df9a813752b9551424bbd3d196e6bd695b5a991e2caaf6260b1f7f0075

SHA512
0fd2130f2f1ff2f276b93272e688d062429b3fe614525b6716a9ac797e8e240eb38bbfc6ae2ce9e3f01411175da63fc5eba7a0c3960e89a56f2c75f7f98746dc

Download Submit
memory/888-160-0x0000000000000000-mapping.dmp

Download
memory/1216-140-0x0000000000000000-mapping.dmp

Download
memory/1508-164-0x0000000000000000-mapping.dmp

Download
memory/1724-134-0x0000000000000000-mapping.dmp

Download
memory/1956-168-0x0000000000000000-mapping.dmp

Download
memory/2088-166-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000000000000-mapping.dmp

Download
memory/2172-151-0x0000000000000000-mapping.dmp

Download
memory/2392-161-0x0000000000000000-mapping.dmp

Download
memory/2400-162-0x0000000000000000-mapping.dmp

Download
memory/2416-150-0x0000000000000000-mapping.dmp

Download
memory/2584-154-0x0000000000000000-mapping.dmp

Download
memory/2760-149-0x0000000000000000-mapping.dmp

Download
memory/2936-158-0x0000000000000000-mapping.dmp

Download
memory/2980-147-0x0000000000000000-mapping.dmp

Download
memory/3388-145-0x0000000000000000-mapping.dmp

Download
memory/3464-167-0x0000000000000000-mapping.dmp

Download
memory/3640-142-0x0000000000000000-mapping.dmp

Download
memory/3656-159-0x0000000000000000-mapping.dmp

Download
memory/3752-144-0x0000000000000000-mapping.dmp

Download
memory/3808-157-0x0000000000000000-mapping.dmp

Download
memory/3880-153-0x0000000000000000-mapping.dmp

Download
memory/3924-143-0x0000000000000000-mapping.dmp

Download
memory/3940-165-0x0000000000000000-mapping.dmp

Download
memory/3976-148-0x0000000000000000-mapping.dmp

Download
memory/4016-156-0x0000000000000000-mapping.dmp

Download
memory/4112-137-0x0000000000000000-mapping.dmp

Download
memory/4144-163-0x0000000000000000-mapping.dmp

Download
memory/4176-138-0x0000000000000000-mapping.dmp

Download
memory/4328-136-0x0000000000000000-mapping.dmp

Download
memory/4400-155-0x0000000000000000-mapping.dmp

Download
memory/4600-139-0x0000000000000000-mapping.dmp

Download
memory/4760-141-0x0000000000000000-mapping.dmp

Download
memory/4892-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads