3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598

General

Target

3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
Size

68KB
MD5

081e05e6392b1b028d2c76abab626976
SHA1

b71fe920748230c5a6aa6e43148a66c35ecdb4ed
SHA256

3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598
SHA512

f091a0171a14e1f15261a0d03b45e792510581b2b21e8523b57aabda2fb7b8b5a68db366588ee6f8a5e1e871fa5e4fc7c9e6c8a9eb2349a266087810217021e1
SSDEEP

768:pmGVD7IqdoTouRxKuuDGIwJ5w8WMIlxAig4Gvx04COYKGgX1Uy5muXI:zD7vEIK1Ilx/yWglUy5m4I

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
4756	icacls.exe
4348	icacls.exe
3364	icacls.exe
944	icacls.exe
3968	icacls.exe
1952	takeown.exe
5040	icacls.exe
4792	takeown.exe
4372	icacls.exe
616	icacls.exe
1860	takeown.exe
1120	icacls.exe
4524	takeown.exe
4588	takeown.exe
2792	icacls.exe
1860	icacls.exe
1384	takeown.exe
3140	takeown.exe
3264	takeown.exe
1044	icacls.exe
4840	takeown.exe
332	icacls.exe
2412	takeown.exe
4796	takeown.exe
4520	icacls.exe
3832	takeown.exe
2160	takeown.exe
4028	icacls.exe
2100	takeown.exe
2344	takeown.exe
1904	icacls.exe
4524	icacls.exe
4260	takeown.exe
4988	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
4260	takeown.exe
1860	takeown.exe
4796	takeown.exe
3264	takeown.exe
4372	icacls.exe
332	icacls.exe
4588	takeown.exe
2792	icacls.exe
3832	takeown.exe
1120	icacls.exe
1860	icacls.exe
2344	takeown.exe
2100	takeown.exe
1904	icacls.exe
1952	takeown.exe
4756	icacls.exe
5040	icacls.exe
1384	takeown.exe
1044	icacls.exe
3968	icacls.exe
4840	takeown.exe
3140	takeown.exe
2412	takeown.exe
944	icacls.exe
4520	icacls.exe
4348	icacls.exe
2160	takeown.exe
4028	icacls.exe
4792	takeown.exe
616	icacls.exe
4524	takeown.exe
4988	takeown.exe
4524	icacls.exe
3364	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
File created	C:\Windows\SysWOW64\tdavx.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
File opened for modification	C:\Windows\SysWOW64\tdavx.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	4524	takeown.exe
Token: SeTakeOwnershipPrivilege	4796	takeown.exe
Token: SeTakeOwnershipPrivilege	2160	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	4588	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	1384	takeown.exe
Token: SeTakeOwnershipPrivilege	4792	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	4840	takeown.exe
Token: SeTakeOwnershipPrivilege	3140	takeown.exe
Token: SeTakeOwnershipPrivilege	3832	takeown.exe
Token: SeTakeOwnershipPrivilege	4988	takeown.exe
Token: SeTakeOwnershipPrivilege	1860	takeown.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

pid process

2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

pid	process
2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe

description	pid	process	target process
PID 2552 wrote to memory of 4260	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4260	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4260	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 1120	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1120	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1120	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 2412	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2412	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2412	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 944	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 944	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 944	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4524	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4524	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4524	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 1860	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1860	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1860	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4796	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4796	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4796	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4756	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4756	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4756	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 2160	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2160	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2160	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4520	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4520	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4520	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 2344	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2344	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2344	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4348	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4348	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4348	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4588	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4588	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4588	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 5040	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 5040	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 5040	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 3264	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 3264	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 3264	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4028	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4028	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4028	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1384	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 1384	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 1384	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 1044	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1044	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 1044	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4792	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4792	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4792	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 4372	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4372	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 4372	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe
PID 2552 wrote to memory of 2100	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2100	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 2100	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	takeown.exe
PID 2552 wrote to memory of 3968	2552	3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
"C:\Users\Admin\AppData\Local\Temp\3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\tdavx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\tdavx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1120

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:944

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1860

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4520

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4348

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5040

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4372

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3968

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:332

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2792

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tdavx.exe
Filesize
68KB

MD5
081e05e6392b1b028d2c76abab626976

SHA1
b71fe920748230c5a6aa6e43148a66c35ecdb4ed

SHA256
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598

SHA512
f091a0171a14e1f15261a0d03b45e792510581b2b21e8523b57aabda2fb7b8b5a68db366588ee6f8a5e1e871fa5e4fc7c9e6c8a9eb2349a266087810217021e1

Download Submit
memory/332-162-0x0000000000000000-mapping.dmp

Download
memory/616-160-0x0000000000000000-mapping.dmp

Download
memory/944-138-0x0000000000000000-mapping.dmp

Download
memory/1044-152-0x0000000000000000-mapping.dmp

Download
memory/1120-136-0x0000000000000000-mapping.dmp

Download
memory/1384-151-0x0000000000000000-mapping.dmp

Download
memory/1860-165-0x0000000000000000-mapping.dmp

Download
memory/1860-140-0x0000000000000000-mapping.dmp

Download
memory/1904-158-0x0000000000000000-mapping.dmp

Download
memory/1952-167-0x0000000000000000-mapping.dmp

Download
memory/2100-155-0x0000000000000000-mapping.dmp

Download
memory/2160-143-0x0000000000000000-mapping.dmp

Download
memory/2344-145-0x0000000000000000-mapping.dmp

Download
memory/2412-137-0x0000000000000000-mapping.dmp

Download
memory/2792-166-0x0000000000000000-mapping.dmp

Download
memory/3140-159-0x0000000000000000-mapping.dmp

Download
memory/3264-149-0x0000000000000000-mapping.dmp

Download
memory/3364-168-0x0000000000000000-mapping.dmp

Download
memory/3832-161-0x0000000000000000-mapping.dmp

Download
memory/3968-156-0x0000000000000000-mapping.dmp

Download
memory/4028-150-0x0000000000000000-mapping.dmp

Download
memory/4260-134-0x0000000000000000-mapping.dmp

Download
memory/4348-146-0x0000000000000000-mapping.dmp

Download
memory/4372-154-0x0000000000000000-mapping.dmp

Download
memory/4520-144-0x0000000000000000-mapping.dmp

Download
memory/4524-164-0x0000000000000000-mapping.dmp

Download
memory/4524-139-0x0000000000000000-mapping.dmp

Download
memory/4588-147-0x0000000000000000-mapping.dmp

Download
memory/4756-142-0x0000000000000000-mapping.dmp

Download
memory/4792-153-0x0000000000000000-mapping.dmp

Download
memory/4796-141-0x0000000000000000-mapping.dmp

Download
memory/4840-157-0x0000000000000000-mapping.dmp

Download
memory/4988-163-0x0000000000000000-mapping.dmp

Download
memory/5040-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads