Analysis
-
max time kernel
172s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
Resource
win7-20220812-en
General
-
Target
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
-
Size
68KB
-
MD5
260b3c4a413811c479d9d1de96eda7e1
-
SHA1
2a451ab1256878ac86addf9a8cbea94149b3007c
-
SHA256
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef
-
SHA512
fdb57c7a1afc0e89747f3598162f1db4df5c7e392f0cc18a848cf849e70239c754a6b140dc7e2f8c8400f6265b701bf31299f5d69afe91a5f5b2b58e5a105ea7
-
SSDEEP
768:5cHMXGynp6qG0gAWvCgDjqasgugCruM/FBwgeSzm1e2Hf84vRJnx4KhUjbjzFXZ:5kJyn5GffNGBuMdCgVKBHfPMjzVZ
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 3748 icacls.exe 1452 takeown.exe 3120 takeown.exe 1084 takeown.exe 3652 takeown.exe 4288 icacls.exe 4136 icacls.exe 4980 takeown.exe 2400 icacls.exe 4332 takeown.exe 2504 takeown.exe 2780 icacls.exe 4328 takeown.exe 2748 takeown.exe 1508 icacls.exe 744 takeown.exe 744 takeown.exe 2376 icacls.exe 3368 takeown.exe 1248 icacls.exe 3508 takeown.exe 3288 icacls.exe 4380 icacls.exe 2940 takeown.exe 2040 icacls.exe 1256 icacls.exe 4404 icacls.exe 2972 takeown.exe 4304 takeown.exe 3708 icacls.exe 2528 icacls.exe 832 takeown.exe 4108 icacls.exe 3752 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 4404 icacls.exe 1084 takeown.exe 3708 icacls.exe 2528 icacls.exe 832 takeown.exe 4136 icacls.exe 3748 icacls.exe 4328 takeown.exe 4332 takeown.exe 4288 icacls.exe 2780 icacls.exe 4380 icacls.exe 3752 icacls.exe 2972 takeown.exe 1248 icacls.exe 3652 takeown.exe 2400 icacls.exe 2040 icacls.exe 4108 icacls.exe 1256 icacls.exe 3368 takeown.exe 1508 icacls.exe 744 takeown.exe 2376 icacls.exe 3508 takeown.exe 3288 icacls.exe 2504 takeown.exe 4980 takeown.exe 2748 takeown.exe 744 takeown.exe 1452 takeown.exe 3120 takeown.exe 2940 takeown.exe 4304 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cscript.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe File created C:\Windows\SysWOW64\otnd.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe File opened for modification C:\Windows\SysWOW64\otnd.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe File opened for modification C:\Windows\SysWOW64\cmd.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe File opened for modification C:\Windows\SysWOW64\ftp.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe File opened for modification C:\Windows\SysWOW64\wscript.exe e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 744 takeown.exe Token: SeTakeOwnershipPrivilege 4328 takeown.exe Token: SeTakeOwnershipPrivilege 2940 takeown.exe Token: SeTakeOwnershipPrivilege 2748 takeown.exe Token: SeTakeOwnershipPrivilege 1452 takeown.exe Token: SeTakeOwnershipPrivilege 3120 takeown.exe Token: SeTakeOwnershipPrivilege 4332 takeown.exe Token: SeTakeOwnershipPrivilege 3368 takeown.exe Token: SeTakeOwnershipPrivilege 1084 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 2504 takeown.exe Token: SeTakeOwnershipPrivilege 3652 takeown.exe Token: SeTakeOwnershipPrivilege 3508 takeown.exe Token: SeTakeOwnershipPrivilege 744 takeown.exe Token: SeTakeOwnershipPrivilege 832 takeown.exe Token: SeTakeOwnershipPrivilege 4304 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exepid process 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exedescription pid process target process PID 4416 wrote to memory of 4980 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4980 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4980 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 744 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 744 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 744 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4380 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4380 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4380 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4328 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4328 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4328 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2376 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2376 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2376 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2940 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2940 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2940 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4108 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4108 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4108 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2748 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3752 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3752 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3752 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1452 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1452 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1452 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2400 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2400 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2400 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3120 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3120 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3120 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2040 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2040 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2040 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4332 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4332 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4332 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1256 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1256 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1256 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 3368 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3368 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 3368 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 4404 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4404 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 4404 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1084 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1084 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1084 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1508 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1508 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 1508 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe PID 4416 wrote to memory of 2972 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2972 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 2972 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe takeown.exe PID 4416 wrote to memory of 1248 4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe"C:\Users\Admin\AppData\Local\Temp\e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\otnd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\otnd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\otnd.exeFilesize
68KB
MD5260b3c4a413811c479d9d1de96eda7e1
SHA12a451ab1256878ac86addf9a8cbea94149b3007c
SHA256e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef
SHA512fdb57c7a1afc0e89747f3598162f1db4df5c7e392f0cc18a848cf849e70239c754a6b140dc7e2f8c8400f6265b701bf31299f5d69afe91a5f5b2b58e5a105ea7
-
memory/744-137-0x0000000000000000-mapping.dmp
-
memory/744-163-0x0000000000000000-mapping.dmp
-
memory/832-165-0x0000000000000000-mapping.dmp
-
memory/1084-153-0x0000000000000000-mapping.dmp
-
memory/1248-156-0x0000000000000000-mapping.dmp
-
memory/1256-150-0x0000000000000000-mapping.dmp
-
memory/1452-145-0x0000000000000000-mapping.dmp
-
memory/1508-154-0x0000000000000000-mapping.dmp
-
memory/2040-148-0x0000000000000000-mapping.dmp
-
memory/2376-140-0x0000000000000000-mapping.dmp
-
memory/2400-146-0x0000000000000000-mapping.dmp
-
memory/2504-157-0x0000000000000000-mapping.dmp
-
memory/2528-160-0x0000000000000000-mapping.dmp
-
memory/2748-143-0x0000000000000000-mapping.dmp
-
memory/2780-168-0x0000000000000000-mapping.dmp
-
memory/2940-141-0x0000000000000000-mapping.dmp
-
memory/2972-155-0x0000000000000000-mapping.dmp
-
memory/3120-147-0x0000000000000000-mapping.dmp
-
memory/3288-164-0x0000000000000000-mapping.dmp
-
memory/3368-151-0x0000000000000000-mapping.dmp
-
memory/3508-161-0x0000000000000000-mapping.dmp
-
memory/3652-159-0x0000000000000000-mapping.dmp
-
memory/3708-158-0x0000000000000000-mapping.dmp
-
memory/3748-136-0x0000000000000000-mapping.dmp
-
memory/3752-144-0x0000000000000000-mapping.dmp
-
memory/4108-142-0x0000000000000000-mapping.dmp
-
memory/4136-166-0x0000000000000000-mapping.dmp
-
memory/4288-162-0x0000000000000000-mapping.dmp
-
memory/4304-167-0x0000000000000000-mapping.dmp
-
memory/4328-139-0x0000000000000000-mapping.dmp
-
memory/4332-149-0x0000000000000000-mapping.dmp
-
memory/4380-138-0x0000000000000000-mapping.dmp
-
memory/4404-152-0x0000000000000000-mapping.dmp
-
memory/4980-134-0x0000000000000000-mapping.dmp