Analysis
-
max time kernel
39s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-03-2024 00:45
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win7-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 20 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 896 takeown.exe 1472 takeown.exe 2504 icacls.exe 2752 takeown.exe 868 takeown.exe 1276 takeown.exe 1700 takeown.exe 1880 icacls.exe 584 takeown.exe 2796 takeown.exe 2184 takeown.exe 2932 takeown.exe 864 takeown.exe 1660 takeown.exe 2632 takeown.exe 1556 icacls.exe 2256 icacls.exe 2016 icacls.exe 1420 takeown.exe 724 icacls.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2796 takeown.exe 1556 icacls.exe 724 icacls.exe 2752 takeown.exe 1276 takeown.exe 584 takeown.exe 2932 takeown.exe 864 takeown.exe 2184 takeown.exe 1700 takeown.exe 1660 takeown.exe 2632 takeown.exe 2016 icacls.exe 896 takeown.exe 1472 takeown.exe 2504 icacls.exe 868 takeown.exe 1880 icacls.exe 1420 takeown.exe 2256 icacls.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe File created C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1728 Chernobyl.exe Token: SeDebugPrivilege 1728 Chernobyl.exe Token: SeTakeOwnershipPrivilege 896 takeown.exe Token: SeTakeOwnershipPrivilege 2932 takeown.exe Token: SeTakeOwnershipPrivilege 1472 takeown.exe Token: SeTakeOwnershipPrivilege 2752 takeown.exe Token: SeTakeOwnershipPrivilege 864 takeown.exe Token: SeTakeOwnershipPrivilege 868 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 1276 takeown.exe Token: SeTakeOwnershipPrivilege 1660 takeown.exe Token: SeTakeOwnershipPrivilege 2796 takeown.exe Token: SeTakeOwnershipPrivilege 2632 takeown.exe Token: SeTakeOwnershipPrivilege 2184 takeown.exe Token: SeTakeOwnershipPrivilege 1420 takeown.exe Token: SeTakeOwnershipPrivilege 584 takeown.exe Token: SeShutdownPrivilege 1728 Chernobyl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1728 wrote to memory of 1256 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1256 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1256 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1256 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 2220 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 2220 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 2220 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 2220 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1476 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1476 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1476 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1476 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1504 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1504 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1504 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 1504 1728 Chernobyl.exe cmd.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2332 2220 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1256 wrote to memory of 1964 1256 cmd.exe rundll32.exe PID 1728 wrote to memory of 816 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 816 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 816 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 816 1728 Chernobyl.exe cmd.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1476 wrote to memory of 284 1476 cmd.exe rundll32.exe PID 1728 wrote to memory of 628 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 628 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 628 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 628 1728 Chernobyl.exe cmd.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 1504 wrote to memory of 904 1504 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 816 wrote to memory of 900 816 cmd.exe rundll32.exe PID 1728 wrote to memory of 856 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 856 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 856 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 856 1728 Chernobyl.exe cmd.exe PID 1728 wrote to memory of 2164 1728 Chernobyl.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:284
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:900
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:628
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:856
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2164
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2152
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2516
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2616
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2564
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:2776
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:2928
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2984
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\wininit.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:2180
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:2680
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:2740
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2772
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:2348
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:2212
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2268
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\ntoskrnl.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:2204
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:1996
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:604
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\wimmount.sys && icacls C:\Windows\System32\drivers\wimmount.sys /grant "%username%:F" && exit2⤵PID:688
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\wimmount.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\wimmount.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:724
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵PID:2828
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\♣6í○╬å↑œ×π╬ל飱¾č991Ǥ╩♫╩ñ▌š¼Ç◄6œ«ø¢½7ε♣ÿ∩♦√6╤σö2²☺¾♫◘±▄▌♥♂≈8▼•řóč☼œ█ñ☼¬ß╠◘®2Ÿ7φπŸµ£Ÿ±±╔ž█ñ±5█ń♫æ▀2
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b