a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c

General

Target

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
Size

64KB
MD5

19c3865c06159ff24bc7f49c067da306
SHA1

04804e390fb4f0e6264903808b089dcd4700605b
SHA256

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c
SHA512

a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9
SSDEEP

768:z38+NFO7RMrbFZiQeh0Sx08mmg9NDzHPFRZbBqorrfw3wenva1AT54B3/dVDDe0o:zs+XkOX0iZmWnbatF69Bj7/4z3

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3988	icacls.exe
4760	icacls.exe
3812	icacls.exe
2880	icacls.exe
5008	takeown.exe
4944	takeown.exe
1848	icacls.exe
1636	icacls.exe
1328	takeown.exe
4636	icacls.exe
3748	icacls.exe
1648	takeown.exe
3776	takeown.exe
4600	icacls.exe
1220	takeown.exe
1804	takeown.exe
880	icacls.exe
4348	takeown.exe
3952	icacls.exe
1608	icacls.exe
2224	takeown.exe
3660	icacls.exe
2424	takeown.exe
4868	icacls.exe
2484	icacls.exe
4276	icacls.exe
4820	takeown.exe
3824	icacls.exe
1876	takeown.exe
772	takeown.exe
600	takeown.exe
4204	takeown.exe
3584	takeown.exe
216	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4636	icacls.exe
2224	takeown.exe
3660	icacls.exe
4944	takeown.exe
1636	icacls.exe
4868	icacls.exe
1876	takeown.exe
2880	icacls.exe
3952	icacls.exe
3988	icacls.exe
1608	icacls.exe
772	takeown.exe
1648	takeown.exe
1848	icacls.exe
2484	icacls.exe
1220	takeown.exe
4820	takeown.exe
1328	takeown.exe
3812	icacls.exe
3824	icacls.exe
4204	takeown.exe
3776	takeown.exe
4276	icacls.exe
3584	takeown.exe
2424	takeown.exe
5008	takeown.exe
4600	icacls.exe
1804	takeown.exe
4348	takeown.exe
3748	icacls.exe
4760	icacls.exe
600	takeown.exe
880	icacls.exe
216	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File created	C:\Windows\SysWOW64\tcyx.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File opened for modification	C:\Windows\SysWOW64\tcyx.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	3776	takeown.exe
Token: SeTakeOwnershipPrivilege	4820	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	3584	takeown.exe
Token: SeTakeOwnershipPrivilege	772	takeown.exe
Token: SeTakeOwnershipPrivilege	600	takeown.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	4944	takeown.exe
Token: SeTakeOwnershipPrivilege	1876	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe
Token: SeTakeOwnershipPrivilege	216	takeown.exe
Token: SeTakeOwnershipPrivilege	5008	takeown.exe
Token: SeTakeOwnershipPrivilege	4348	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

pid process

2088 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

pid	process
2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

description	pid	process	target process
PID 2088 wrote to memory of 4204	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4204	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4204	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3952	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3952	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3952	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1648	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1648	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1648	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3988	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3988	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3988	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3776	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3776	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3776	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4276	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4276	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4276	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4820	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4820	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4820	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1608	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1608	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1608	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 2224	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 2224	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 2224	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3584	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3584	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3584	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4760	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4760	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4760	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 772	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 772	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 772	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3824	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3824	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3824	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 600	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 3660	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3660	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 3660	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 2424	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 2424	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 2424	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4868	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4868	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4868	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 4944	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4944	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 4944	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1848	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1848	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1848	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 2088 wrote to memory of 1876	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1876	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1876	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 2088 wrote to memory of 1636	2088	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
"C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\tcyx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4204

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\tcyx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3952

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3988

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4276

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4760

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3824

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:600

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3660

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4868

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1848

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2484

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4636

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:880

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2880

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3812

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tcyx.exe
Filesize
64KB

MD5
19c3865c06159ff24bc7f49c067da306

SHA1
04804e390fb4f0e6264903808b089dcd4700605b

SHA256
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c

SHA512
a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9

Download Submit
memory/216-163-0x0000000000000000-mapping.dmp

Download
memory/600-149-0x0000000000000000-mapping.dmp

Download
memory/772-147-0x0000000000000000-mapping.dmp

Download
memory/880-162-0x0000000000000000-mapping.dmp

Download
memory/1220-159-0x0000000000000000-mapping.dmp

Download
memory/1328-161-0x0000000000000000-mapping.dmp

Download
memory/1608-142-0x0000000000000000-mapping.dmp

Download
memory/1636-156-0x0000000000000000-mapping.dmp

Download
memory/1648-137-0x0000000000000000-mapping.dmp

Download
memory/1804-157-0x0000000000000000-mapping.dmp

Download
memory/1848-154-0x0000000000000000-mapping.dmp

Download
memory/1876-155-0x0000000000000000-mapping.dmp

Download
memory/2224-143-0x0000000000000000-mapping.dmp

Download
memory/2424-151-0x0000000000000000-mapping.dmp

Download
memory/2484-158-0x0000000000000000-mapping.dmp

Download
memory/2880-164-0x0000000000000000-mapping.dmp

Download
memory/3584-145-0x0000000000000000-mapping.dmp

Download
memory/3660-150-0x0000000000000000-mapping.dmp

Download
memory/3748-168-0x0000000000000000-mapping.dmp

Download
memory/3776-139-0x0000000000000000-mapping.dmp

Download
memory/3812-166-0x0000000000000000-mapping.dmp

Download
memory/3824-148-0x0000000000000000-mapping.dmp

Download
memory/3952-136-0x0000000000000000-mapping.dmp

Download
memory/3988-138-0x0000000000000000-mapping.dmp

Download
memory/4204-134-0x0000000000000000-mapping.dmp

Download
memory/4276-140-0x0000000000000000-mapping.dmp

Download
memory/4348-167-0x0000000000000000-mapping.dmp

Download
memory/4600-144-0x0000000000000000-mapping.dmp

Download
memory/4636-160-0x0000000000000000-mapping.dmp

Download
memory/4760-146-0x0000000000000000-mapping.dmp

Download
memory/4820-141-0x0000000000000000-mapping.dmp

Download
memory/4868-152-0x0000000000000000-mapping.dmp

Download
memory/4944-153-0x0000000000000000-mapping.dmp

Download
memory/5008-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads