Analysis
-
max time kernel
267s -
max time network
278s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 1508 takeown.exe 2660 icacls.exe 4508 takeown.exe 2472 takeown.exe 4088 takeown.exe 2204 icacls.exe 4488 icacls.exe 712 takeown.exe 3160 takeown.exe 700 takeown.exe 2412 takeown.exe 3452 icacls.exe 3780 takeown.exe 1120 takeown.exe 4040 takeown.exe 3704 takeown.exe 4424 takeown.exe 4204 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 712 takeown.exe 4204 takeown.exe 3780 takeown.exe 4508 takeown.exe 2204 icacls.exe 2472 takeown.exe 4088 takeown.exe 1120 takeown.exe 3704 takeown.exe 3452 icacls.exe 2412 takeown.exe 4488 icacls.exe 2660 icacls.exe 700 takeown.exe 4040 takeown.exe 3160 takeown.exe 4424 takeown.exe 1508 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
Processes:
Chernobyl.exeMiniSearchHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
tasklist.exeChernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4888 tasklist.exe Token: SeDebugPrivilege 1100 Chernobyl.exe Token: SeDebugPrivilege 1100 Chernobyl.exe Token: SeTakeOwnershipPrivilege 4088 takeown.exe Token: SeTakeOwnershipPrivilege 2472 takeown.exe Token: SeTakeOwnershipPrivilege 4424 takeown.exe Token: SeTakeOwnershipPrivilege 2412 takeown.exe Token: SeTakeOwnershipPrivilege 1120 takeown.exe Token: SeTakeOwnershipPrivilege 1508 takeown.exe Token: SeTakeOwnershipPrivilege 4204 takeown.exe Token: SeTakeOwnershipPrivilege 712 takeown.exe Token: SeTakeOwnershipPrivilege 700 takeown.exe Token: SeTakeOwnershipPrivilege 3780 takeown.exe Token: SeTakeOwnershipPrivilege 4040 takeown.exe Token: SeTakeOwnershipPrivilege 3160 takeown.exe Token: SeTakeOwnershipPrivilege 4508 takeown.exe Token: SeTakeOwnershipPrivilege 3704 takeown.exe Token: SeShutdownPrivilege 1100 Chernobyl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 440 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 3268 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 3268 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 3268 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2828 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2828 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2828 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2036 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2036 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 2036 1100 Chernobyl.exe cmd.exe PID 3268 wrote to memory of 3876 3268 cmd.exe rundll32.exe PID 3268 wrote to memory of 3876 3268 cmd.exe rundll32.exe PID 3268 wrote to memory of 3876 3268 cmd.exe rundll32.exe PID 1100 wrote to memory of 764 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 764 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 764 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1524 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1524 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1524 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4236 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4236 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4236 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 3748 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 3748 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 3748 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 392 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 392 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 392 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 5068 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 5068 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 5068 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1228 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1228 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 1228 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4516 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4516 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 4516 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 792 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 792 1100 Chernobyl.exe cmd.exe PID 1100 wrote to memory of 792 1100 Chernobyl.exe cmd.exe PID 2828 wrote to memory of 1088 2828 cmd.exe rundll32.exe PID 2828 wrote to memory of 1088 2828 cmd.exe rundll32.exe PID 2828 wrote to memory of 1088 2828 cmd.exe rundll32.exe PID 2036 wrote to memory of 3480 2036 cmd.exe rundll32.exe PID 2036 wrote to memory of 3480 2036 cmd.exe rundll32.exe PID 2036 wrote to memory of 3480 2036 cmd.exe rundll32.exe PID 764 wrote to memory of 928 764 cmd.exe rundll32.exe PID 764 wrote to memory of 928 764 cmd.exe rundll32.exe PID 764 wrote to memory of 928 764 cmd.exe rundll32.exe PID 4236 wrote to memory of 2836 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 2836 4236 cmd.exe rundll32.exe PID 4236 wrote to memory of 2836 4236 cmd.exe rundll32.exe PID 3748 wrote to memory of 2904 3748 cmd.exe rundll32.exe PID 3748 wrote to memory of 2904 3748 cmd.exe rundll32.exe PID 3748 wrote to memory of 2904 3748 cmd.exe rundll32.exe PID 1524 wrote to memory of 4136 1524 cmd.exe rundll32.exe PID 1524 wrote to memory of 4136 1524 cmd.exe rundll32.exe PID 1524 wrote to memory of 4136 1524 cmd.exe rundll32.exe PID 1228 wrote to memory of 4888 1228 cmd.exe rundll32.exe PID 1228 wrote to memory of 4888 1228 cmd.exe rundll32.exe PID 1228 wrote to memory of 4888 1228 cmd.exe rundll32.exe PID 792 wrote to memory of 2164 792 cmd.exe rundll32.exe PID 792 wrote to memory of 2164 792 cmd.exe rundll32.exe PID 792 wrote to memory of 2164 792 cmd.exe rundll32.exe PID 4516 wrote to memory of 4924 4516 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3876
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4136
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:392
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:5068
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4888
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:4084
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2736
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:1652
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:3484
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:3280
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:4208
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:4608
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:1388
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:4644
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:864
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:676
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:232
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:3692
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:248
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2660
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2072
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:1704
-
C:\Windows\System32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\╬žæ7▲9◘•↕ø•◙☼õ²æ₧↕♪≈²äř¾ß♫☻▲ř▌œ™ŸŸεŸš☺¥1¢▼Σ5²╠♠☻•ææč╧╚¶™•æ♦╥—π○◘◘╥╥φ╩±¬↑œéß±®φ×¢²↕►¶×ß♠▼¬Ÿ♣ö3♪Çÿ¤ó±
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b