890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c

General

Target

890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
Size

72KB
MD5

061ad849c223f59c0ac6d27aa5e3c186
SHA1

ce7d93816371e70f56594f2377891f9f0f8e6d4c
SHA256

890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c
SHA512

d55cdeb46195ebd421556e14c367245869a666b7d8ee9153b193e7490163c3dae9a256d3ad1e8e45cce27df8a7d0743631150c76638d1b918a937aa252e19778
SSDEEP

1536:XDjD9i80x7IqCqmXf0axFV3mXQUwd1A5:XDViJBI4mP0aTVLZk

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
628	takeown.exe
4016	icacls.exe
3460	takeown.exe
4324	icacls.exe
532	icacls.exe
2584	icacls.exe
2192	icacls.exe
2608	takeown.exe
2452	takeown.exe
1876	takeown.exe
3576	takeown.exe
4540	takeown.exe
4560	takeown.exe
3412	takeown.exe
720	takeown.exe
1132	icacls.exe
900	takeown.exe
4228	icacls.exe
2672	icacls.exe
4616	takeown.exe
4088	takeown.exe
4720	takeown.exe
2684	icacls.exe
4564	takeown.exe
4828	icacls.exe
1532	icacls.exe
3748	takeown.exe
3100	icacls.exe
1468	icacls.exe
3936	icacls.exe
4668	icacls.exe
4724	takeown.exe
4804	icacls.exe
1688	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
2684	icacls.exe
4228	icacls.exe
2452	takeown.exe
4828	icacls.exe
4616	takeown.exe
4560	takeown.exe
1688	icacls.exe
3576	takeown.exe
532	icacls.exe
4564	takeown.exe
4668	icacls.exe
628	takeown.exe
1876	takeown.exe
1532	icacls.exe
4540	takeown.exe
3100	icacls.exe
3460	takeown.exe
4804	icacls.exe
720	takeown.exe
2608	takeown.exe
4324	icacls.exe
2584	icacls.exe
4088	takeown.exe
2672	icacls.exe
2192	icacls.exe
3748	takeown.exe
4724	takeown.exe
1468	icacls.exe
900	takeown.exe
3412	takeown.exe
3936	icacls.exe
4720	takeown.exe
1132	icacls.exe
4016	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
File created	C:\Windows\SysWOW64\ensh.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
File opened for modification	C:\Windows\SysWOW64\ensh.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3748	takeown.exe
Token: SeTakeOwnershipPrivilege	4540	takeown.exe
Token: SeTakeOwnershipPrivilege	628	takeown.exe
Token: SeTakeOwnershipPrivilege	4560	takeown.exe
Token: SeTakeOwnershipPrivilege	4724	takeown.exe
Token: SeTakeOwnershipPrivilege	3460	takeown.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	3412	takeown.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeTakeOwnershipPrivilege	720	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	2452	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	4616	takeown.exe
Token: SeTakeOwnershipPrivilege	4088	takeown.exe
Token: SeTakeOwnershipPrivilege	3576	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

pid process

3916 890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

pid	process
3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe

description	pid	process	target process
PID 3916 wrote to memory of 4720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 1132	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1132	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1132	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 3748	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3748	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3748	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4668	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4668	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4668	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4540	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4540	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4540	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3100	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 3100	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 3100	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 628	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 628	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 628	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4016	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4016	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4016	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4560	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4560	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4560	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 532	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 532	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 532	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4724	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4724	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4724	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 2684	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 2684	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 2684	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 3460	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3460	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3460	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4804	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4804	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4804	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 900	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 900	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 900	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4228	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4228	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4228	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 3412	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3412	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3412	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 1468	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1468	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1468	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 4564	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4564	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 4564	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 1688	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1688	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 1688	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe
PID 3916 wrote to memory of 720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 720	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	takeown.exe
PID 3916 wrote to memory of 3936	3916	890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe
"C:\Users\Admin\AppData\Local\Temp\890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\ensh.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4720

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\ensh.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4668

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3100

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4016

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:532

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4804

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4228

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1468

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1688

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3936

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4324

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4828

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1532

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ensh.exe
Filesize
72KB

MD5
061ad849c223f59c0ac6d27aa5e3c186

SHA1
ce7d93816371e70f56594f2377891f9f0f8e6d4c

SHA256
890e684ee17ae901669cd6b9a5b3b3b0b8a665fbf55b5baf1f8f92464dda8d9c

SHA512
d55cdeb46195ebd421556e14c367245869a666b7d8ee9153b193e7490163c3dae9a256d3ad1e8e45cce27df8a7d0743631150c76638d1b918a937aa252e19778

Download Submit
memory/532-144-0x0000000000000000-mapping.dmp

Download
memory/628-141-0x0000000000000000-mapping.dmp

Download
memory/720-155-0x0000000000000000-mapping.dmp

Download
memory/900-149-0x0000000000000000-mapping.dmp

Download
memory/1132-136-0x0000000000000000-mapping.dmp

Download
memory/1468-152-0x0000000000000000-mapping.dmp

Download
memory/1532-164-0x0000000000000000-mapping.dmp

Download
memory/1688-154-0x0000000000000000-mapping.dmp

Download
memory/1876-161-0x0000000000000000-mapping.dmp

Download
memory/2192-168-0x0000000000000000-mapping.dmp

Download
memory/2452-159-0x0000000000000000-mapping.dmp

Download
memory/2584-162-0x0000000000000000-mapping.dmp

Download
memory/2608-157-0x0000000000000000-mapping.dmp

Download
memory/2672-166-0x0000000000000000-mapping.dmp

Download
memory/2684-146-0x0000000000000000-mapping.dmp

Download
memory/3100-140-0x0000000000000000-mapping.dmp

Download
memory/3412-151-0x0000000000000000-mapping.dmp

Download
memory/3460-147-0x0000000000000000-mapping.dmp

Download
memory/3576-167-0x0000000000000000-mapping.dmp

Download
memory/3748-137-0x0000000000000000-mapping.dmp

Download
memory/3936-156-0x0000000000000000-mapping.dmp

Download
memory/4016-142-0x0000000000000000-mapping.dmp

Download
memory/4088-165-0x0000000000000000-mapping.dmp

Download
memory/4228-150-0x0000000000000000-mapping.dmp

Download
memory/4324-158-0x0000000000000000-mapping.dmp

Download
memory/4540-139-0x0000000000000000-mapping.dmp

Download
memory/4560-143-0x0000000000000000-mapping.dmp

Download
memory/4564-153-0x0000000000000000-mapping.dmp

Download
memory/4616-163-0x0000000000000000-mapping.dmp

Download
memory/4668-138-0x0000000000000000-mapping.dmp

Download
memory/4720-134-0x0000000000000000-mapping.dmp

Download
memory/4724-145-0x0000000000000000-mapping.dmp

Download
memory/4804-148-0x0000000000000000-mapping.dmp

Download
memory/4828-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads