52eca00f38a8b99e2750a5cac39eda89ea771ab5bd17c88172dcd9eddba2f124

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
Size

215KB
MD5

07e9b75c07aa0cce5d35d0d737198329
SHA1

a3562c2a34cc834dd53c1b2e963ec587ac9b849c
SHA256

52eca00f38a8b99e2750a5cac39eda89ea771ab5bd17c88172dcd9eddba2f124
SHA512

cc15020003f732f58405f8ad583d574215f74bb6d764bc95dcb5011082b5db2f697d27b6e9cf5e9d53abd483e7ffbd4b85eff5d281374b3251fc29a1f717dc5a
SSDEEP

6144:PMJNBqE5lmRWmRvH+Ed2315xc2PeZOqQUknu:PINBq4luWAPITdUODUknu

Score

8^/10

defense_evasion discovery exploit upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\tcpipreset	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\tcpipreset	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\system32\drivers\tcpip.copy	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\tcpip.copy	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe

Possible privilege escalation attempt 24 IoCs

exploit

pid	Process
2492	takeown.exe
1020	icacls.exe
2876	icacls.exe
2056	takeown.exe
1344	icacls.exe
2964	icacls.exe
2948	takeown.exe
2500	takeown.exe
1964	icacls.exe
1240	icacls.exe
2504	icacls.exe
2188	takeown.exe
2748	takeown.exe
2240	icacls.exe
1996	icacls.exe
1688	icacls.exe
2772	takeown.exe
2884	icacls.exe
536	icacls.exe
444	icacls.exe
2960	icacls.exe
2508	icacls.exe
2184	icacls.exe
2616	takeown.exe

Modifies file permissions 1 TTPs 24 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2772	takeown.exe
2948	takeown.exe
536	icacls.exe
2964	icacls.exe
2504	icacls.exe
2500	takeown.exe
2492	takeown.exe
444	icacls.exe
2056	takeown.exe
1344	icacls.exe
2884	icacls.exe
1996	icacls.exe
2184	icacls.exe
1020	icacls.exe
2960	icacls.exe
1964	icacls.exe
1240	icacls.exe
1688	icacls.exe
2616	takeown.exe
2188	takeown.exe
2876	icacls.exe
2748	takeown.exe
2240	icacls.exe
2508	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\System32\en-us\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\en-us\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\es-es\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\es-es\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\it-it\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\de-de\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\de-de\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\en-us\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\fr-fr\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\fr-fr\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\it-it\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\it-it\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\de-de\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\es-es\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\fr-fr\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\ja-jp\user32copy.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File created	C:\Windows\System32\ja-jp\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\ja-jp\user32new.dll.mui	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral1/memory/2076-19-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2616	takeown.exe
Token: SeTakeOwnershipPrivilege	2500	takeown.exe
Token: SeTakeOwnershipPrivilege	2188	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeTakeOwnershipPrivilege	2948	takeown.exe
Token: SeTakeOwnershipPrivilege	2748	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2796	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2796	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2796	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2796	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	30
PID 2076 wrote to memory of 2816	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2816	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2816	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2816	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2692	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	33
PID 2076 wrote to memory of 2692	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	33
PID 2076 wrote to memory of 2692	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	33
PID 2076 wrote to memory of 2692	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	33
PID 2076 wrote to memory of 2840	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2840	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2840	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2840	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	34
PID 2076 wrote to memory of 2836	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	38
PID 2076 wrote to memory of 2836	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	38
PID 2076 wrote to memory of 2836	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	38
PID 2076 wrote to memory of 2836	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	38
PID 2076 wrote to memory of 2916	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	39
PID 2076 wrote to memory of 2916	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	39
PID 2076 wrote to memory of 2916	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	39
PID 2076 wrote to memory of 2916	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	39
PID 2076 wrote to memory of 2612	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	42
PID 2076 wrote to memory of 2612	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	42
PID 2076 wrote to memory of 2612	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	42
PID 2076 wrote to memory of 2612	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	42
PID 2076 wrote to memory of 2680	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	43
PID 2076 wrote to memory of 2680	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	43
PID 2076 wrote to memory of 2680	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	43
PID 2076 wrote to memory of 2680	2076	07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe	43
PID 2692 wrote to memory of 2616	2692	cmd.exe	46
PID 2692 wrote to memory of 2616	2692	cmd.exe	46
PID 2692 wrote to memory of 2616	2692	cmd.exe	46
PID 2796 wrote to memory of 2500	2796	cmd.exe	47
PID 2796 wrote to memory of 2500	2796	cmd.exe	47
PID 2796 wrote to memory of 2500	2796	cmd.exe	47
PID 2840 wrote to memory of 2772	2840	cmd.exe	48
PID 2840 wrote to memory of 2772	2840	cmd.exe	48
PID 2840 wrote to memory of 2772	2840	cmd.exe	48
PID 2816 wrote to memory of 2188	2816	cmd.exe	49
PID 2816 wrote to memory of 2188	2816	cmd.exe	49
PID 2816 wrote to memory of 2188	2816	cmd.exe	49
PID 2916 wrote to memory of 2492	2916	cmd.exe	50
PID 2916 wrote to memory of 2492	2916	cmd.exe	50
PID 2916 wrote to memory of 2492	2916	cmd.exe	50
PID 2692 wrote to memory of 1020	2692	cmd.exe	51
PID 2692 wrote to memory of 1020	2692	cmd.exe	51
PID 2692 wrote to memory of 1020	2692	cmd.exe	51
PID 2836 wrote to memory of 2056	2836	cmd.exe	52
PID 2836 wrote to memory of 2056	2836	cmd.exe	52
PID 2836 wrote to memory of 2056	2836	cmd.exe	52
PID 2796 wrote to memory of 2876	2796	cmd.exe	53
PID 2796 wrote to memory of 2876	2796	cmd.exe	53
PID 2796 wrote to memory of 2876	2796	cmd.exe	53
PID 2796 wrote to memory of 444	2796	cmd.exe	54
PID 2796 wrote to memory of 444	2796	cmd.exe	54
PID 2796 wrote to memory of 444	2796	cmd.exe	54
PID 2692 wrote to memory of 1344	2692	cmd.exe	55
PID 2692 wrote to memory of 1344	2692	cmd.exe	55
PID 2692 wrote to memory of 1344	2692	cmd.exe	55
PID 2816 wrote to memory of 2884	2816	cmd.exe	56
PID 2816 wrote to memory of 2884	2816	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07e9b75c07aa0cce5d35d0d737198329_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2876
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:444
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2884
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2960
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1020
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1344
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2964
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:536
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2504
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2508
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "Admin":f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2240
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1964
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"
  2⤵
  PID:2612
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1240
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1688
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"
  2⤵
  PID:2680
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1996
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2076-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2076-19-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2076-21-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download