e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef

General

Target

e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
Size

68KB
MD5

260b3c4a413811c479d9d1de96eda7e1
SHA1

2a451ab1256878ac86addf9a8cbea94149b3007c
SHA256

e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef
SHA512

fdb57c7a1afc0e89747f3598162f1db4df5c7e392f0cc18a848cf849e70239c754a6b140dc7e2f8c8400f6265b701bf31299f5d69afe91a5f5b2b58e5a105ea7
SSDEEP

768:5cHMXGynp6qG0gAWvCgDjqasgugCruM/FBwgeSzm1e2Hf84vRJnx4KhUjbjzFXZ:5kJyn5GffNGBuMdCgVKBHfPMjzVZ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
3748	icacls.exe
1452	takeown.exe
3120	takeown.exe
1084	takeown.exe
3652	takeown.exe
4288	icacls.exe
4136	icacls.exe
4980	takeown.exe
2400	icacls.exe
4332	takeown.exe
2504	takeown.exe
2780	icacls.exe
4328	takeown.exe
2748	takeown.exe
1508	icacls.exe
744	takeown.exe
744	takeown.exe
2376	icacls.exe
3368	takeown.exe
1248	icacls.exe
3508	takeown.exe
3288	icacls.exe
4380	icacls.exe
2940	takeown.exe
2040	icacls.exe
1256	icacls.exe
4404	icacls.exe
2972	takeown.exe
4304	takeown.exe
3708	icacls.exe
2528	icacls.exe
832	takeown.exe
4108	icacls.exe
3752	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4404	icacls.exe
1084	takeown.exe
3708	icacls.exe
2528	icacls.exe
832	takeown.exe
4136	icacls.exe
3748	icacls.exe
4328	takeown.exe
4332	takeown.exe
4288	icacls.exe
2780	icacls.exe
4380	icacls.exe
3752	icacls.exe
2972	takeown.exe
1248	icacls.exe
3652	takeown.exe
2400	icacls.exe
2040	icacls.exe
4108	icacls.exe
1256	icacls.exe
3368	takeown.exe
1508	icacls.exe
744	takeown.exe
2376	icacls.exe
3508	takeown.exe
3288	icacls.exe
2504	takeown.exe
4980	takeown.exe
2748	takeown.exe
744	takeown.exe
1452	takeown.exe
3120	takeown.exe
2940	takeown.exe
4304	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
File created	C:\Windows\SysWOW64\otnd.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
File opened for modification	C:\Windows\SysWOW64\otnd.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	744	takeown.exe
Token: SeTakeOwnershipPrivilege	4328	takeown.exe
Token: SeTakeOwnershipPrivilege	2940	takeown.exe
Token: SeTakeOwnershipPrivilege	2748	takeown.exe
Token: SeTakeOwnershipPrivilege	1452	takeown.exe
Token: SeTakeOwnershipPrivilege	3120	takeown.exe
Token: SeTakeOwnershipPrivilege	4332	takeown.exe
Token: SeTakeOwnershipPrivilege	3368	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeTakeOwnershipPrivilege	2972	takeown.exe
Token: SeTakeOwnershipPrivilege	2504	takeown.exe
Token: SeTakeOwnershipPrivilege	3652	takeown.exe
Token: SeTakeOwnershipPrivilege	3508	takeown.exe
Token: SeTakeOwnershipPrivilege	744	takeown.exe
Token: SeTakeOwnershipPrivilege	832	takeown.exe
Token: SeTakeOwnershipPrivilege	4304	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

pid process

4416 e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

pid	process
4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe

description	pid	process	target process
PID 4416 wrote to memory of 4980	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4980	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4980	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 744	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 744	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 744	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4380	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4380	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4380	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4328	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4328	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4328	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2376	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2376	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2376	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2940	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2940	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2940	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4108	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4108	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4108	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2748	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3752	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3752	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3752	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1452	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1452	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1452	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2400	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2400	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2400	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3120	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3120	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3120	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2040	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2040	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2040	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4332	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4332	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4332	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1256	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1256	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1256	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 3368	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3368	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 3368	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 4404	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4404	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 4404	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1084	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1084	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1084	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1508	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1508	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 1508	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe
PID 4416 wrote to memory of 2972	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2972	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 2972	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	takeown.exe
PID 4416 wrote to memory of 1248	4416	e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe
"C:\Users\Admin\AppData\Local\Temp\e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\otnd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4980

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\otnd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3748

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2376

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4108

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2400

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1256

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4404

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1508

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1248

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3708

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2528

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4288

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3288

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4136

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\otnd.exe
Filesize
68KB

MD5
260b3c4a413811c479d9d1de96eda7e1

SHA1
2a451ab1256878ac86addf9a8cbea94149b3007c

SHA256
e60361417207a2d0edefcaf1d7e5ffd5887316b0825ec9ac353288b7b60300ef

SHA512
fdb57c7a1afc0e89747f3598162f1db4df5c7e392f0cc18a848cf849e70239c754a6b140dc7e2f8c8400f6265b701bf31299f5d69afe91a5f5b2b58e5a105ea7

Download Submit
memory/744-137-0x0000000000000000-mapping.dmp

Download
memory/744-163-0x0000000000000000-mapping.dmp

Download
memory/832-165-0x0000000000000000-mapping.dmp

Download
memory/1084-153-0x0000000000000000-mapping.dmp

Download
memory/1248-156-0x0000000000000000-mapping.dmp

Download
memory/1256-150-0x0000000000000000-mapping.dmp

Download
memory/1452-145-0x0000000000000000-mapping.dmp

Download
memory/1508-154-0x0000000000000000-mapping.dmp

Download
memory/2040-148-0x0000000000000000-mapping.dmp

Download
memory/2376-140-0x0000000000000000-mapping.dmp

Download
memory/2400-146-0x0000000000000000-mapping.dmp

Download
memory/2504-157-0x0000000000000000-mapping.dmp

Download
memory/2528-160-0x0000000000000000-mapping.dmp

Download
memory/2748-143-0x0000000000000000-mapping.dmp

Download
memory/2780-168-0x0000000000000000-mapping.dmp

Download
memory/2940-141-0x0000000000000000-mapping.dmp

Download
memory/2972-155-0x0000000000000000-mapping.dmp

Download
memory/3120-147-0x0000000000000000-mapping.dmp

Download
memory/3288-164-0x0000000000000000-mapping.dmp

Download
memory/3368-151-0x0000000000000000-mapping.dmp

Download
memory/3508-161-0x0000000000000000-mapping.dmp

Download
memory/3652-159-0x0000000000000000-mapping.dmp

Download
memory/3708-158-0x0000000000000000-mapping.dmp

Download
memory/3748-136-0x0000000000000000-mapping.dmp

Download
memory/3752-144-0x0000000000000000-mapping.dmp

Download
memory/4108-142-0x0000000000000000-mapping.dmp

Download
memory/4136-166-0x0000000000000000-mapping.dmp

Download
memory/4288-162-0x0000000000000000-mapping.dmp

Download
memory/4304-167-0x0000000000000000-mapping.dmp

Download
memory/4328-139-0x0000000000000000-mapping.dmp

Download
memory/4332-149-0x0000000000000000-mapping.dmp

Download
memory/4380-138-0x0000000000000000-mapping.dmp

Download
memory/4404-152-0x0000000000000000-mapping.dmp

Download
memory/4980-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads