180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae

General

Target

180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
Size

64KB
MD5

15cc33765ef0bf4d6cd708a3cf2d49e6
SHA1

4fb85183c4737906466ba3b9180622c864fabf39
SHA256

180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae
SHA512

0f8132db6e9cb79415575fcc63db9fa3eb3c1077ed8f0e092a40199cc526714d13dfc7a81d22081bdab3f2ef478df87f0476ddfd2da73685bbbd1f1b12bd365b
SSDEEP

768:t4dn4NxnW8EV5OFixDHkghKWOD5lSyEwa40HivgzzXKRK90HWoKhg6XYIjD3Msdx:t4d4HW8etEZD5qiM9TF4sGVPvmVFF

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
4508	icacls.exe
4516	icacls.exe
3332	icacls.exe
224	icacls.exe
796	icacls.exe
912	icacls.exe
1060	icacls.exe
2280	icacls.exe
3352	takeown.exe
2304	takeown.exe
1956	takeown.exe
3692	takeown.exe
4860	icacls.exe
3448	takeown.exe
3320	icacls.exe
3008	icacls.exe
3180	takeown.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
224	icacls.exe
2280	icacls.exe
3008	icacls.exe
4516	icacls.exe
3448	takeown.exe
912	icacls.exe
2304	takeown.exe
3180	takeown.exe
1956	takeown.exe
3352	takeown.exe
4508	icacls.exe
4860	icacls.exe
1060	icacls.exe
3332	icacls.exe
3320	icacls.exe
796	icacls.exe
3692	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
File created	\??\c:\windows\SysWOW64\whqx.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
File opened for modification	\??\c:\windows\SysWOW64\whqx.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeTakeOwnershipPrivilege	2304	takeown.exe
Token: SeTakeOwnershipPrivilege	3180	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

pid process

4660 180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

pid	process
4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe

description	pid	process	target process
PID 4660 wrote to memory of 3352	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3352	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3352	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 796	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 796	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 796	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3692	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3692	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3692	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 4860	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4860	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4860	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 912	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 912	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 912	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 2304	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 2304	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 2304	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3008	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3008	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3008	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4508	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4508	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4508	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3180	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3180	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3180	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 1060	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 1060	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 1060	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4516	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4516	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 4516	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 1956	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 1956	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 1956	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 224	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 224	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 224	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3332	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3332	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3332	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3448	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3448	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3448	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	takeown.exe
PID 4660 wrote to memory of 3320	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3320	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 3320	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 2280	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 2280	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe
PID 4660 wrote to memory of 2280	4660	180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe
"C:\Users\Admin\AppData\Local\Temp\180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\whqx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3352

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\whqx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:796

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:912

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4860

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4508

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3008

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4516

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3332

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:224

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3448

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2280

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\whqx.exe
Filesize
64KB

MD5
15cc33765ef0bf4d6cd708a3cf2d49e6

SHA1
4fb85183c4737906466ba3b9180622c864fabf39

SHA256
180596b8f890feb9969973187c9b810e4f934f17a62cdd80d85b060c78ddcaae

SHA512
0f8132db6e9cb79415575fcc63db9fa3eb3c1077ed8f0e092a40199cc526714d13dfc7a81d22081bdab3f2ef478df87f0476ddfd2da73685bbbd1f1b12bd365b

Download Submit
memory/224-147-0x0000000000000000-mapping.dmp

Download
memory/796-135-0x0000000000000000-mapping.dmp

Download
memory/912-139-0x0000000000000000-mapping.dmp

Download
memory/1060-144-0x0000000000000000-mapping.dmp

Download
memory/1956-146-0x0000000000000000-mapping.dmp

Download
memory/2280-151-0x0000000000000000-mapping.dmp

Download
memory/2304-140-0x0000000000000000-mapping.dmp

Download
memory/3008-141-0x0000000000000000-mapping.dmp

Download
memory/3180-143-0x0000000000000000-mapping.dmp

Download
memory/3320-150-0x0000000000000000-mapping.dmp

Download
memory/3332-148-0x0000000000000000-mapping.dmp

Download
memory/3352-134-0x0000000000000000-mapping.dmp

Download
memory/3448-149-0x0000000000000000-mapping.dmp

Download
memory/3692-137-0x0000000000000000-mapping.dmp

Download
memory/4508-142-0x0000000000000000-mapping.dmp

Download
memory/4516-145-0x0000000000000000-mapping.dmp

Download
memory/4860-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads