800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec

General

Target

800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
Size

72KB
MD5

096325d737bd6b67b2ca435ad6426be1
SHA1

0404febbc135b17bace80cf7d945e3b6c89b7607
SHA256

800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec
SHA512

4e213551524704883242ed8d3ffb37dfab7a6f65f67e9ef64831f1866dee3b7e672d68477271985f11ed12d18ba66ac9760e376e3265221da83e4e551d446724
SSDEEP

768:I9r9B4F/P3GFUfOLSdFbO0WA6NeqOA398Pg/dewX6yDUgsId2DzjVdGEXi6:IPB4NP/dg0ANM9TymvzjLNH

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
1504	takeown.exe
4532	icacls.exe
5068	takeown.exe
5020	icacls.exe
3856	icacls.exe
2560	icacls.exe
5036	takeown.exe
3180	icacls.exe
504	takeown.exe
2472	takeown.exe
4832	takeown.exe
848	icacls.exe
1368	takeown.exe
4220	takeown.exe
1656	takeown.exe
4684	takeown.exe
4344	icacls.exe
4196	takeown.exe
3564	icacls.exe
1756	icacls.exe
4124	icacls.exe
1820	icacls.exe
756	icacls.exe
3124	takeown.exe
1048	icacls.exe
3444	takeown.exe
1780	takeown.exe
5008	takeown.exe
1444	icacls.exe
2424	icacls.exe
3960	takeown.exe
1184	takeown.exe
976	icacls.exe
1952	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
1444	icacls.exe
2560	icacls.exe
1656	takeown.exe
3444	takeown.exe
5020	icacls.exe
1952	icacls.exe
1780	takeown.exe
1048	icacls.exe
5036	takeown.exe
1820	icacls.exe
3564	icacls.exe
4532	icacls.exe
1756	icacls.exe
2424	icacls.exe
3960	takeown.exe
3180	icacls.exe
1184	takeown.exe
5008	takeown.exe
3856	icacls.exe
1504	takeown.exe
4684	takeown.exe
976	icacls.exe
4124	icacls.exe
4196	takeown.exe
1368	takeown.exe
4220	takeown.exe
756	icacls.exe
3124	takeown.exe
5068	takeown.exe
504	takeown.exe
4344	icacls.exe
2472	takeown.exe
4832	takeown.exe
848	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
File created	C:\Windows\SysWOW64\xdxez.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
File opened for modification	C:\Windows\SysWOW64\xdxez.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	504	takeown.exe
Token: SeTakeOwnershipPrivilege	2472	takeown.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeTakeOwnershipPrivilege	5008	takeown.exe
Token: SeTakeOwnershipPrivilege	1368	takeown.exe
Token: SeTakeOwnershipPrivilege	4196	takeown.exe
Token: SeTakeOwnershipPrivilege	4220	takeown.exe
Token: SeTakeOwnershipPrivilege	1656	takeown.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	3960	takeown.exe
Token: SeTakeOwnershipPrivilege	5036	takeown.exe
Token: SeTakeOwnershipPrivilege	3444	takeown.exe
Token: SeTakeOwnershipPrivilege	4684	takeown.exe
Token: SeTakeOwnershipPrivilege	3124	takeown.exe
Token: SeTakeOwnershipPrivilege	5068	takeown.exe
Token: SeTakeOwnershipPrivilege	4832	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

pid process

2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

pid	process
2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe

description	pid	process	target process
PID 2692 wrote to memory of 1184	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1184	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1184	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4344	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4344	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4344	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 2472	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 2472	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 2472	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 976	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 976	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 976	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1780	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1780	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1780	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4124	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4124	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4124	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 5008	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 5008	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 5008	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 3856	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 3856	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 3856	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1368	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1368	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1368	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1444	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1444	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1444	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4196	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4196	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4196	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1820	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1820	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1820	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 4220	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4220	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 4220	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 756	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1656	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1656	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1656	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 2424	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 2424	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 2424	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 1504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1504	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 2560	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 2560	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 2560	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe
PID 2692 wrote to memory of 3960	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 3960	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 3960	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	takeown.exe
PID 2692 wrote to memory of 1048	2692	800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
"C:\Users\Admin\AppData\Local\Temp\800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\xdxez.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1184

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\xdxez.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4124

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3856

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1444

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1820

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2424

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2560

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1952

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3180

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4532

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5020

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdxez.exe
Filesize
72KB

MD5
096325d737bd6b67b2ca435ad6426be1

SHA1
0404febbc135b17bace80cf7d945e3b6c89b7607

SHA256
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec

SHA512
4e213551524704883242ed8d3ffb37dfab7a6f65f67e9ef64831f1866dee3b7e672d68477271985f11ed12d18ba66ac9760e376e3265221da83e4e551d446724

Download Submit
memory/504-137-0x0000000000000000-mapping.dmp

Download
memory/756-150-0x0000000000000000-mapping.dmp

Download
memory/848-168-0x0000000000000000-mapping.dmp

Download
memory/976-140-0x0000000000000000-mapping.dmp

Download
memory/1048-156-0x0000000000000000-mapping.dmp

Download
memory/1184-134-0x0000000000000000-mapping.dmp

Download
memory/1368-145-0x0000000000000000-mapping.dmp

Download
memory/1444-146-0x0000000000000000-mapping.dmp

Download
memory/1504-153-0x0000000000000000-mapping.dmp

Download
memory/1656-151-0x0000000000000000-mapping.dmp

Download
memory/1756-136-0x0000000000000000-mapping.dmp

Download
memory/1780-141-0x0000000000000000-mapping.dmp

Download
memory/1820-148-0x0000000000000000-mapping.dmp

Download
memory/1952-158-0x0000000000000000-mapping.dmp

Download
memory/2424-152-0x0000000000000000-mapping.dmp

Download
memory/2472-139-0x0000000000000000-mapping.dmp

Download
memory/2560-154-0x0000000000000000-mapping.dmp

Download
memory/3124-163-0x0000000000000000-mapping.dmp

Download
memory/3180-162-0x0000000000000000-mapping.dmp

Download
memory/3444-159-0x0000000000000000-mapping.dmp

Download
memory/3564-160-0x0000000000000000-mapping.dmp

Download
memory/3856-144-0x0000000000000000-mapping.dmp

Download
memory/3960-155-0x0000000000000000-mapping.dmp

Download
memory/4124-142-0x0000000000000000-mapping.dmp

Download
memory/4196-147-0x0000000000000000-mapping.dmp

Download
memory/4220-149-0x0000000000000000-mapping.dmp

Download
memory/4344-138-0x0000000000000000-mapping.dmp

Download
memory/4532-164-0x0000000000000000-mapping.dmp

Download
memory/4684-161-0x0000000000000000-mapping.dmp

Download
memory/4832-167-0x0000000000000000-mapping.dmp

Download
memory/5008-143-0x0000000000000000-mapping.dmp

Download
memory/5020-166-0x0000000000000000-mapping.dmp

Download
memory/5036-157-0x0000000000000000-mapping.dmp

Download
memory/5068-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads