0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0

General

Target

0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
Size

68KB
MD5

0ea23ae31c365f335d8f7ae2bd9102e0
SHA1

55ec98cf8e28a6bb9466110d7011d8047fe4fc9e
SHA256

0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0
SHA512

edfee3213aa9a6edc2b52012833f256bc5a4b6e2ab9667e2b2843a49cd7da2c6ecce897e9c3442dc91282de340cae351ce72f7296bdd7455ce56949a910759ee
SSDEEP

768:LePg5Ixbki+FsefB9hehPMsmpeh+VZxuLifUBpbDci0Wh1GeZ6Z6jr0FyRWvp4u7:LACFONMN1ZxuLnt6cjrAXOdSeRW

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
1496	takeown.exe
4560	takeown.exe
2980	takeown.exe
1760	icacls.exe
448	icacls.exe
4252	takeown.exe
1632	icacls.exe
1068	takeown.exe
2624	takeown.exe
1556	icacls.exe
3200	takeown.exe
4688	icacls.exe
796	icacls.exe
2020	takeown.exe
1884	icacls.exe
1232	icacls.exe
3392	takeown.exe
3872	icacls.exe
2460	icacls.exe
3592	takeown.exe
3872	icacls.exe
3044	icacls.exe
1288	takeown.exe
696	takeown.exe
4972	takeown.exe
4324	takeown.exe
4812	takeown.exe
2476	icacls.exe
5068	takeown.exe
428	icacls.exe
732	icacls.exe
3196	icacls.exe
4048	takeown.exe
2164	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
1232	icacls.exe
4048	takeown.exe
2980	takeown.exe
4812	takeown.exe
3392	takeown.exe
2164	icacls.exe
1556	icacls.exe
4688	icacls.exe
4252	takeown.exe
1068	takeown.exe
3872	icacls.exe
1884	icacls.exe
1632	icacls.exe
696	takeown.exe
732	icacls.exe
2624	takeown.exe
3044	icacls.exe
4324	takeown.exe
796	icacls.exe
4972	takeown.exe
5068	takeown.exe
3196	icacls.exe
1288	takeown.exe
1760	icacls.exe
3872	icacls.exe
2460	icacls.exe
3592	takeown.exe
448	icacls.exe
1496	takeown.exe
3200	takeown.exe
4560	takeown.exe
2476	icacls.exe
428	icacls.exe
2020	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
File created	C:\Windows\SysWOW64\rzfdq.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
File opened for modification	C:\Windows\SysWOW64\rzfdq.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3200	takeown.exe
Token: SeTakeOwnershipPrivilege	4560	takeown.exe
Token: SeTakeOwnershipPrivilege	4252	takeown.exe
Token: SeTakeOwnershipPrivilege	5068	takeown.exe
Token: SeTakeOwnershipPrivilege	4324	takeown.exe
Token: SeTakeOwnershipPrivilege	4048	takeown.exe
Token: SeTakeOwnershipPrivilege	2980	takeown.exe
Token: SeTakeOwnershipPrivilege	1288	takeown.exe
Token: SeTakeOwnershipPrivilege	3392	takeown.exe
Token: SeTakeOwnershipPrivilege	696	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	2624	takeown.exe
Token: SeTakeOwnershipPrivilege	4972	takeown.exe
Token: SeTakeOwnershipPrivilege	3592	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

pid process

2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

pid	process
2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe

description	pid	process	target process
PID 2348 wrote to memory of 1496	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1496	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1496	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3872	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3872	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3872	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3200	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3200	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3200	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4688	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4688	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4688	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4560	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4560	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4560	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1884	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1884	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1884	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4252	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4252	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4252	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3044	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3044	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3044	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 5068	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 5068	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 5068	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1232	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1232	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1232	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4324	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4324	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4324	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3196	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3196	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3196	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4048	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4048	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4048	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 428	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 428	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 428	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 2980	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 2980	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 2980	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1632	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1632	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1632	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1288	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1288	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1288	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 796	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 796	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 796	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 4812	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4812	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 4812	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 1760	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1760	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 1760	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe
PID 2348 wrote to memory of 3392	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3392	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3392	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	takeown.exe
PID 2348 wrote to memory of 3872	2348	0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
"C:\Users\Admin\AppData\Local\Temp\0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\rzfdq.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\rzfdq.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3872

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4688

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1884

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3196

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:796

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4812

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1760

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3872

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2164

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2460

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:732

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2476

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rzfdq.exe
Filesize
68KB

MD5
0ea23ae31c365f335d8f7ae2bd9102e0

SHA1
55ec98cf8e28a6bb9466110d7011d8047fe4fc9e

SHA256
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0

SHA512
edfee3213aa9a6edc2b52012833f256bc5a4b6e2ab9667e2b2843a49cd7da2c6ecce897e9c3442dc91282de340cae351ce72f7296bdd7455ce56949a910759ee

Download Submit
memory/428-148-0x0000000000000000-mapping.dmp

Download
memory/448-168-0x0000000000000000-mapping.dmp

Download
memory/696-157-0x0000000000000000-mapping.dmp

Download
memory/732-162-0x0000000000000000-mapping.dmp

Download
memory/796-152-0x0000000000000000-mapping.dmp

Download
memory/1068-161-0x0000000000000000-mapping.dmp

Download
memory/1232-144-0x0000000000000000-mapping.dmp

Download
memory/1288-151-0x0000000000000000-mapping.dmp

Download
memory/1496-134-0x0000000000000000-mapping.dmp

Download
memory/1556-166-0x0000000000000000-mapping.dmp

Download
memory/1632-150-0x0000000000000000-mapping.dmp

Download
memory/1760-154-0x0000000000000000-mapping.dmp

Download
memory/1884-140-0x0000000000000000-mapping.dmp

Download
memory/2020-159-0x0000000000000000-mapping.dmp

Download
memory/2164-158-0x0000000000000000-mapping.dmp

Download
memory/2460-160-0x0000000000000000-mapping.dmp

Download
memory/2476-164-0x0000000000000000-mapping.dmp

Download
memory/2624-163-0x0000000000000000-mapping.dmp

Download
memory/2980-149-0x0000000000000000-mapping.dmp

Download
memory/3044-142-0x0000000000000000-mapping.dmp

Download
memory/3196-146-0x0000000000000000-mapping.dmp

Download
memory/3200-137-0x0000000000000000-mapping.dmp

Download
memory/3392-155-0x0000000000000000-mapping.dmp

Download
memory/3592-167-0x0000000000000000-mapping.dmp

Download
memory/3872-156-0x0000000000000000-mapping.dmp

Download
memory/3872-136-0x0000000000000000-mapping.dmp

Download
memory/4048-147-0x0000000000000000-mapping.dmp

Download
memory/4252-141-0x0000000000000000-mapping.dmp

Download
memory/4324-145-0x0000000000000000-mapping.dmp

Download
memory/4560-139-0x0000000000000000-mapping.dmp

Download
memory/4688-138-0x0000000000000000-mapping.dmp

Download
memory/4812-153-0x0000000000000000-mapping.dmp

Download
memory/4972-165-0x0000000000000000-mapping.dmp

Download
memory/5068-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads