ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232

General

Target

ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
Size

64KB
MD5

156b0d499d5bce95710bf613e038fbf6
SHA1

f83a03b73bc4c8f9c70927831c542cb8beb14eba
SHA256

ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232
SHA512

f2ef4f323070757a7eaf2909da3c087aab2fa7f74b71efeadbddfc77011110360fc7129374d5f15fef017f5054efeb3de6d44a7f4ed71fb526e8ed0434494460
SSDEEP

768:rhzt36itED7hifBZo7jAeSZnZIlv8ix3LYg/xH2u2KwuL6AhPKX0:rD3c7OeSZn+auYkR2u2YLxtM0

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
2976	icacls.exe
1028	icacls.exe
3820	takeown.exe
1980	takeown.exe
1636	takeown.exe
2152	takeown.exe
5116	takeown.exe
2836	icacls.exe
4328	icacls.exe
2384	takeown.exe
4412	takeown.exe
2080	icacls.exe
1664	takeown.exe
2112	icacls.exe
4480	takeown.exe
4908	icacls.exe
1452	takeown.exe
1784	takeown.exe
4704	icacls.exe
4512	takeown.exe
2940	icacls.exe
1044	takeown.exe
4164	icacls.exe
1516	takeown.exe
400	icacls.exe
3120	icacls.exe
2600	takeown.exe
3288	takeown.exe
308	icacls.exe
3540	takeown.exe
4116	icacls.exe
1812	icacls.exe
3936	icacls.exe
4480	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
2080	icacls.exe
3820	takeown.exe
1044	takeown.exe
4412	takeown.exe
5116	takeown.exe
2600	takeown.exe
1636	takeown.exe
4480	icacls.exe
2976	icacls.exe
2384	takeown.exe
1664	takeown.exe
3540	takeown.exe
400	icacls.exe
1812	icacls.exe
3936	icacls.exe
4328	icacls.exe
3120	icacls.exe
3288	takeown.exe
2112	icacls.exe
4480	takeown.exe
4908	icacls.exe
4116	icacls.exe
4704	icacls.exe
2152	takeown.exe
1452	takeown.exe
1028	icacls.exe
1980	takeown.exe
4164	icacls.exe
4512	takeown.exe
308	icacls.exe
2940	icacls.exe
1784	takeown.exe
2836	icacls.exe
1516	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hhuzy.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
File opened for modification	C:\Windows\SysWOW64\hhuzy.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1452	takeown.exe
Token: SeTakeOwnershipPrivilege	4512	takeown.exe
Token: SeTakeOwnershipPrivilege	3540	takeown.exe
Token: SeTakeOwnershipPrivilege	3820	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	1784	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	1636	takeown.exe
Token: SeTakeOwnershipPrivilege	2152	takeown.exe
Token: SeTakeOwnershipPrivilege	1044	takeown.exe
Token: SeTakeOwnershipPrivilege	4412	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeTakeOwnershipPrivilege	3288	takeown.exe
Token: SeTakeOwnershipPrivilege	1664	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

pid process

4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

pid	process
4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe

description	pid	process	target process
PID 4728 wrote to memory of 4480	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4480	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4480	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4908	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4908	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4908	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1452	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1452	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1452	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1028	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1028	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1028	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4512	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4512	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4512	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 308	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 308	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 308	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 3540	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 3540	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 3540	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 400	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 400	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 400	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 3820	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 3820	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 3820	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2940	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2940	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2940	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2384	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2384	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2384	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4116	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4116	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4116	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1784	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1784	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1784	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1812	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1812	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1812	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1980	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1980	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1980	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4704	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4704	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 4704	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1636	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1636	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1636	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2836	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2836	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2836	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 2152	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2152	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 2152	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 3120	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 3120	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 3120	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe
PID 4728 wrote to memory of 1044	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1044	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 1044	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	takeown.exe
PID 4728 wrote to memory of 4164	4728	ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
"C:\Users\Admin\AppData\Local\Temp\ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\hhuzy.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\hhuzy.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4908

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1028

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:308

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:400

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2940

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4116

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4704

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3120

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4164

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3936

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2080

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4328

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2976

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hhuzy.exe
Filesize
64KB

MD5
156b0d499d5bce95710bf613e038fbf6

SHA1
f83a03b73bc4c8f9c70927831c542cb8beb14eba

SHA256
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232

SHA512
f2ef4f323070757a7eaf2909da3c087aab2fa7f74b71efeadbddfc77011110360fc7129374d5f15fef017f5054efeb3de6d44a7f4ed71fb526e8ed0434494460

Download Submit
memory/308-140-0x0000000000000000-mapping.dmp

Download
memory/400-142-0x0000000000000000-mapping.dmp

Download
memory/1028-138-0x0000000000000000-mapping.dmp

Download
memory/1044-155-0x0000000000000000-mapping.dmp

Download
memory/1452-137-0x0000000000000000-mapping.dmp

Download
memory/1516-167-0x0000000000000000-mapping.dmp

Download
memory/1636-151-0x0000000000000000-mapping.dmp

Download
memory/1664-165-0x0000000000000000-mapping.dmp

Download
memory/1784-147-0x0000000000000000-mapping.dmp

Download
memory/1812-148-0x0000000000000000-mapping.dmp

Download
memory/1980-149-0x0000000000000000-mapping.dmp

Download
memory/2080-162-0x0000000000000000-mapping.dmp

Download
memory/2112-168-0x0000000000000000-mapping.dmp

Download
memory/2152-153-0x0000000000000000-mapping.dmp

Download
memory/2384-145-0x0000000000000000-mapping.dmp

Download
memory/2600-161-0x0000000000000000-mapping.dmp

Download
memory/2836-152-0x0000000000000000-mapping.dmp

Download
memory/2940-144-0x0000000000000000-mapping.dmp

Download
memory/2976-166-0x0000000000000000-mapping.dmp

Download
memory/3120-154-0x0000000000000000-mapping.dmp

Download
memory/3288-163-0x0000000000000000-mapping.dmp

Download
memory/3540-141-0x0000000000000000-mapping.dmp

Download
memory/3820-143-0x0000000000000000-mapping.dmp

Download
memory/3936-158-0x0000000000000000-mapping.dmp

Download
memory/4116-146-0x0000000000000000-mapping.dmp

Download
memory/4164-156-0x0000000000000000-mapping.dmp

Download
memory/4328-164-0x0000000000000000-mapping.dmp

Download
memory/4412-157-0x0000000000000000-mapping.dmp

Download
memory/4480-160-0x0000000000000000-mapping.dmp

Download
memory/4480-134-0x0000000000000000-mapping.dmp

Download
memory/4512-139-0x0000000000000000-mapping.dmp

Download
memory/4704-150-0x0000000000000000-mapping.dmp

Download
memory/4908-136-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads