02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950

General

Target

02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
Size

72KB
MD5

171d739d49625ded59c2fef93d327c50
SHA1

df70777186a24a3ba9118cd5a24f4a5044dd35a3
SHA256

02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950
SHA512

519a0563e71f6dcfe5493d29da3a2ae347cf607970ae28780052146d3712dc3a24bef1b344a4e7a1b05697c3a4bf146cf324e3aa5b9c000ed5bdeba9eb62a545
SSDEEP

768:H4rfy/f4GvazT84BpgzSoZ4K60wjenyWPRM0fpuhcccZAhkn29ub42QEFn26i7ZS:H//fCT84e/ryZ0I6NA9ub6EFpi9kvcy

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
4004	icacls.exe
1344	takeown.exe
2936	takeown.exe
3128	icacls.exe
616	icacls.exe
1484	icacls.exe
5080	takeown.exe
812	icacls.exe
2720	takeown.exe
4720	takeown.exe
208	takeown.exe
1744	takeown.exe
5000	takeown.exe
3456	takeown.exe
4960	icacls.exe
4216	takeown.exe
2192	icacls.exe
4444	takeown.exe
2420	takeown.exe
3488	icacls.exe
4848	takeown.exe
4048	icacls.exe
3860	icacls.exe
4640	icacls.exe
4464	icacls.exe
1372	icacls.exe
1072	takeown.exe
3372	takeown.exe
2920	icacls.exe
532	icacls.exe
5108	icacls.exe
4624	takeown.exe
4732	takeown.exe
4728	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
616	icacls.exe
3488	icacls.exe
4732	takeown.exe
2936	takeown.exe
5080	takeown.exe
3860	icacls.exe
4640	icacls.exe
4848	takeown.exe
2192	icacls.exe
4004	icacls.exe
4048	icacls.exe
2720	takeown.exe
4444	takeown.exe
4624	takeown.exe
3128	icacls.exe
3456	takeown.exe
4960	icacls.exe
1344	takeown.exe
1372	icacls.exe
4728	icacls.exe
3372	takeown.exe
1072	takeown.exe
2920	icacls.exe
4216	takeown.exe
5000	takeown.exe
812	icacls.exe
4720	takeown.exe
1484	icacls.exe
4464	icacls.exe
532	icacls.exe
208	takeown.exe
5108	icacls.exe
1744	takeown.exe
2420	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
File created	C:\Windows\SysWOW64\mthvo.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
File opened for modification	C:\Windows\SysWOW64\mthvo.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4624	takeown.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	4848	takeown.exe
Token: SeTakeOwnershipPrivilege	4216	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	2720	takeown.exe
Token: SeTakeOwnershipPrivilege	5000	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	3456	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe
Token: SeTakeOwnershipPrivilege	208	takeown.exe
Token: SeTakeOwnershipPrivilege	1744	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	2420	takeown.exe
Token: SeTakeOwnershipPrivilege	4720	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

pid process

4868 02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

pid	process
4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe

description	pid	process	target process
PID 4868 wrote to memory of 1344	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1344	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1344	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 616	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 616	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 616	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4624	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4624	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4624	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3488	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3488	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3488	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4732	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4732	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4732	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4728	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4728	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4728	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4848	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4848	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4848	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4048	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4048	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4048	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4216	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4216	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4216	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1484	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 1484	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 1484	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 2936	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2936	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2936	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4464	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4464	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4464	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 2720	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2720	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2720	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 1372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 1372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 5000	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 5000	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 5000	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2192	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 2192	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 2192	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3372	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3128	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3128	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3128	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 3456	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3456	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 3456	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 4960	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4960	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 4960	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe
PID 4868 wrote to memory of 1072	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1072	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 1072	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	takeown.exe
PID 4868 wrote to memory of 2920	4868	02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe
"C:\Users\Admin\AppData\Local\Temp\02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\mthvo.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1344

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\mthvo.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3488

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4728

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4048

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1484

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4464

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1372

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2192

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3128

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2920

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:532

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5108

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3860

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:812

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4004

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mthvo.exe
Filesize
72KB

MD5
171d739d49625ded59c2fef93d327c50

SHA1
df70777186a24a3ba9118cd5a24f4a5044dd35a3

SHA256
02cd7c140fa4745d084a37f66b38601e98c5f9d983740bc8b15b395b38cb3950

SHA512
519a0563e71f6dcfe5493d29da3a2ae347cf607970ae28780052146d3712dc3a24bef1b344a4e7a1b05697c3a4bf146cf324e3aa5b9c000ed5bdeba9eb62a545

Download Submit
memory/208-159-0x0000000000000000-mapping.dmp

Download
memory/532-158-0x0000000000000000-mapping.dmp

Download
memory/616-136-0x0000000000000000-mapping.dmp

Download
memory/812-164-0x0000000000000000-mapping.dmp

Download
memory/1072-155-0x0000000000000000-mapping.dmp

Download
memory/1344-134-0x0000000000000000-mapping.dmp

Download
memory/1372-148-0x0000000000000000-mapping.dmp

Download
memory/1484-144-0x0000000000000000-mapping.dmp

Download
memory/1744-161-0x0000000000000000-mapping.dmp

Download
memory/2192-150-0x0000000000000000-mapping.dmp

Download
memory/2420-165-0x0000000000000000-mapping.dmp

Download
memory/2720-147-0x0000000000000000-mapping.dmp

Download
memory/2920-156-0x0000000000000000-mapping.dmp

Download
memory/2936-145-0x0000000000000000-mapping.dmp

Download
memory/3128-152-0x0000000000000000-mapping.dmp

Download
memory/3372-151-0x0000000000000000-mapping.dmp

Download
memory/3456-153-0x0000000000000000-mapping.dmp

Download
memory/3488-138-0x0000000000000000-mapping.dmp

Download
memory/3860-162-0x0000000000000000-mapping.dmp

Download
memory/4004-166-0x0000000000000000-mapping.dmp

Download
memory/4048-142-0x0000000000000000-mapping.dmp

Download
memory/4216-143-0x0000000000000000-mapping.dmp

Download
memory/4444-163-0x0000000000000000-mapping.dmp

Download
memory/4464-146-0x0000000000000000-mapping.dmp

Download
memory/4624-137-0x0000000000000000-mapping.dmp

Download
memory/4640-168-0x0000000000000000-mapping.dmp

Download
memory/4720-167-0x0000000000000000-mapping.dmp

Download
memory/4728-140-0x0000000000000000-mapping.dmp

Download
memory/4732-139-0x0000000000000000-mapping.dmp

Download
memory/4848-141-0x0000000000000000-mapping.dmp

Download
memory/4960-154-0x0000000000000000-mapping.dmp

Download
memory/5000-149-0x0000000000000000-mapping.dmp

Download
memory/5080-157-0x0000000000000000-mapping.dmp

Download
memory/5108-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads