46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854

General

Target

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
Size

68KB
MD5

2a044541d4e9956ad433e0a48aaa0936
SHA1

c0f63bec4589c591fea3ab7fa7e5424a8c6aace0
SHA256

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854
SHA512

dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a
SSDEEP

768:17KVTXSlkfkq5BLLO88dBB2F0Xi+PuIs2Yd4JTHTfgzSw2S7dWJ0KwIRjz4MMUhY:MRaKBBO84E+lm7m4Mbhj6RfZIL/U

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
1220	icacls.exe
4052	takeown.exe
1656	icacls.exe
4884	icacls.exe
4212	takeown.exe
3448	icacls.exe
1116	takeown.exe
1216	takeown.exe
1368	takeown.exe
4368	icacls.exe
2684	icacls.exe
2252	icacls.exe
1552	takeown.exe
4232	icacls.exe
1528	icacls.exe
3556	icacls.exe
428	icacls.exe
4268	takeown.exe
1564	icacls.exe
3200	icacls.exe
4756	takeown.exe
4472	takeown.exe
5076	takeown.exe
4120	takeown.exe
1800	icacls.exe
672	takeown.exe
3200	takeown.exe
4560	icacls.exe
4252	icacls.exe
4680	takeown.exe
2612	takeown.exe
3520	icacls.exe
3548	takeown.exe
4924	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3200	takeown.exe
1564	icacls.exe
1552	takeown.exe
1216	takeown.exe
4052	takeown.exe
4232	icacls.exe
428	icacls.exe
5076	takeown.exe
3448	icacls.exe
4924	takeown.exe
1220	icacls.exe
3520	icacls.exe
4560	icacls.exe
4680	takeown.exe
1368	takeown.exe
3200	icacls.exe
1116	takeown.exe
1800	icacls.exe
4884	icacls.exe
1528	icacls.exe
4368	icacls.exe
4472	takeown.exe
2684	icacls.exe
4252	icacls.exe
4756	takeown.exe
1656	icacls.exe
3556	icacls.exe
4268	takeown.exe
2252	icacls.exe
4120	takeown.exe
2612	takeown.exe
672	takeown.exe
4212	takeown.exe
3548	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File created	C:\Windows\SysWOW64\aafb.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File opened for modification	C:\Windows\SysWOW64\aafb.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5076	takeown.exe
Token: SeTakeOwnershipPrivilege	4268	takeown.exe
Token: SeTakeOwnershipPrivilege	1216	takeown.exe
Token: SeTakeOwnershipPrivilege	1368	takeown.exe
Token: SeTakeOwnershipPrivilege	3548	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	4120	takeown.exe
Token: SeTakeOwnershipPrivilege	4924	takeown.exe
Token: SeTakeOwnershipPrivilege	1116	takeown.exe
Token: SeTakeOwnershipPrivilege	4756	takeown.exe
Token: SeTakeOwnershipPrivilege	4052	takeown.exe
Token: SeTakeOwnershipPrivilege	2612	takeown.exe
Token: SeTakeOwnershipPrivilege	4680	takeown.exe
Token: SeTakeOwnershipPrivilege	672	takeown.exe
Token: SeTakeOwnershipPrivilege	3200	takeown.exe
Token: SeTakeOwnershipPrivilege	4472	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

pid process

5044 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

pid	process
5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

description	pid	process	target process
PID 5044 wrote to memory of 4212	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4212	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4212	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1528	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1528	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1528	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 5076	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 5076	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 5076	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 3520	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3520	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3520	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4268	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4268	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4268	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 3448	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3448	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3448	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1216	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1216	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1216	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1564	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1564	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1564	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 3200	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3200	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3200	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 3548	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 3548	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 3548	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 2252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 2252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 2252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1552	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1552	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1552	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4368	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4120	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4120	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4120	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4560	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4560	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4560	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4924	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4924	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4924	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4252	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1116	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1116	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1116	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1800	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1800	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 1800	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 5044 wrote to memory of 4756	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4756	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 4756	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 5044 wrote to memory of 1220	5044	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
"C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\aafb.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4212

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\aafb.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3520

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3448

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3200

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2252

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4368

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4560

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4252

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1800

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1656

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4232

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3556

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4884

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aafb.exe
Filesize
68KB

MD5
2a044541d4e9956ad433e0a48aaa0936

SHA1
c0f63bec4589c591fea3ab7fa7e5424a8c6aace0

SHA256
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854

SHA512
dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a

Download Submit
memory/428-166-0x0000000000000000-mapping.dmp

Download
memory/672-163-0x0000000000000000-mapping.dmp

Download
memory/1116-153-0x0000000000000000-mapping.dmp

Download
memory/1216-141-0x0000000000000000-mapping.dmp

Download
memory/1220-156-0x0000000000000000-mapping.dmp

Download
memory/1368-143-0x0000000000000000-mapping.dmp

Download
memory/1528-136-0x0000000000000000-mapping.dmp

Download
memory/1552-147-0x0000000000000000-mapping.dmp

Download
memory/1564-142-0x0000000000000000-mapping.dmp

Download
memory/1656-158-0x0000000000000000-mapping.dmp

Download
memory/1800-154-0x0000000000000000-mapping.dmp

Download
memory/2252-146-0x0000000000000000-mapping.dmp

Download
memory/2612-159-0x0000000000000000-mapping.dmp

Download
memory/2684-168-0x0000000000000000-mapping.dmp

Download
memory/3200-144-0x0000000000000000-mapping.dmp

Download
memory/3200-165-0x0000000000000000-mapping.dmp

Download
memory/3448-140-0x0000000000000000-mapping.dmp

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download
memory/3548-145-0x0000000000000000-mapping.dmp

Download
memory/3556-162-0x0000000000000000-mapping.dmp

Download
memory/4052-157-0x0000000000000000-mapping.dmp

Download
memory/4120-149-0x0000000000000000-mapping.dmp

Download
memory/4212-134-0x0000000000000000-mapping.dmp

Download
memory/4232-160-0x0000000000000000-mapping.dmp

Download
memory/4252-152-0x0000000000000000-mapping.dmp

Download
memory/4268-139-0x0000000000000000-mapping.dmp

Download
memory/4368-148-0x0000000000000000-mapping.dmp

Download
memory/4472-167-0x0000000000000000-mapping.dmp

Download
memory/4560-150-0x0000000000000000-mapping.dmp

Download
memory/4680-161-0x0000000000000000-mapping.dmp

Download
memory/4756-155-0x0000000000000000-mapping.dmp

Download
memory/4884-164-0x0000000000000000-mapping.dmp

Download
memory/4924-151-0x0000000000000000-mapping.dmp

Download
memory/5076-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads