6b0a9042919243dbd7e2f81c2ba38f1a5f3dfc5fbbecf9e3d5a0c21244893e62

Analysis

max time kernel
104s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f43b9396551277894edec9387907d50_JaffaCakes118.exe
Size

231KB
MD5

3f43b9396551277894edec9387907d50
SHA1

34e98b4f6d80ca68a4abae365524f8c9c64f8cce
SHA256

6b0a9042919243dbd7e2f81c2ba38f1a5f3dfc5fbbecf9e3d5a0c21244893e62
SHA512

0f2fadf026c23d96263a18c5237b9f9d4ac3fb3ff2ae0db4df7e0a7d11f5220d8e4b6bec42697b53177aedaa14eced1352efa56d544e432dd0affa3dcb601636
SSDEEP

3072:AcKmbKLz5qdjmoLO0rzUd7OmGvXjW6BWHo6X6mnfWWI+PuWdpnWpo1d3/1975llM:AcKmbKLleA5LW697FswfdTyjV1

Score

9^/10

defense_evasion discovery evasion exploit ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
940	bcdedit.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\DRIVERS\ETC\HOSTS	cmd.exe
File opened for modification	C:\Windows\System32\DRIVERS\ETC\HOSTS	cmd.exe
File opened for modification	C:\Windows\System32\DRIVERS\ETC\hosts	attrib.exe

Possible privilege escalation attempt 18 IoCs

exploit

pid	Process
2360	icacls.exe
1044	icacls.exe
1092	icacls.exe
2612	icacls.exe
1340	icacls.exe
1996	icacls.exe
2192	takeown.exe
1548	icacls.exe
1552	icacls.exe
1668	takeown.exe
1660	icacls.exe
1872	icacls.exe
1704	icacls.exe
2340	icacls.exe
1048	icacls.exe
2260	icacls.exe
288	icacls.exe
2024	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
2204	bootsect.exe

Modifies file permissions 1 TTPs 18 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1996	icacls.exe
1704	icacls.exe
2340	icacls.exe
1548	icacls.exe
1048	icacls.exe
1044	icacls.exe
1872	icacls.exe
288	icacls.exe
1668	takeown.exe
2192	takeown.exe
1340	icacls.exe
2024	icacls.exe
2260	icacls.exe
1660	icacls.exe
2612	icacls.exe
2360	icacls.exe
1092	icacls.exe
1552	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	cmd.exe
File created	C:\Windows\System32\slmgr.vbs	cmd.exe
File opened for modification	C:\Windows\System32\slmgr.vbs	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\MBR\bootsect.exe	3f43b9396551277894edec9387907d50_JaffaCakes118.exe
File created	C:\Windows\MBR\HOSTS	3f43b9396551277894edec9387907d50_JaffaCakes118.exe
File created	C:\Windows\MBR\sfix.cmd	3f43b9396551277894edec9387907d50_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2948	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2204	bootsect.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeTakeOwnershipPrivilege	1668	takeown.exe
Token: SeSecurityPrivilege	1996	icacls.exe
Token: SeTakeOwnershipPrivilege	2192	takeown.exe
Token: SeSecurityPrivilege	2360	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2972	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2972	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2972	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2948	2972	cmd.exe	31
PID 2972 wrote to memory of 2948	2972	cmd.exe	31
PID 2972 wrote to memory of 2948	2972	cmd.exe	31
PID 1820 wrote to memory of 828	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	33
PID 1820 wrote to memory of 828	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	33
PID 1820 wrote to memory of 828	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	33
PID 828 wrote to memory of 2892	828	cmd.exe	35
PID 828 wrote to memory of 2892	828	cmd.exe	35
PID 828 wrote to memory of 2892	828	cmd.exe	35
PID 2892 wrote to memory of 2724	2892	cmd.exe	37
PID 2892 wrote to memory of 2724	2892	cmd.exe	37
PID 2892 wrote to memory of 2724	2892	cmd.exe	37
PID 2892 wrote to memory of 2720	2892	cmd.exe	38
PID 2892 wrote to memory of 2720	2892	cmd.exe	38
PID 2892 wrote to memory of 2720	2892	cmd.exe	38
PID 2892 wrote to memory of 2740	2892	cmd.exe	39
PID 2892 wrote to memory of 2740	2892	cmd.exe	39
PID 2892 wrote to memory of 2740	2892	cmd.exe	39
PID 2892 wrote to memory of 2784	2892	cmd.exe	40
PID 2892 wrote to memory of 2784	2892	cmd.exe	40
PID 2892 wrote to memory of 2784	2892	cmd.exe	40
PID 2892 wrote to memory of 2768	2892	cmd.exe	41
PID 2892 wrote to memory of 2768	2892	cmd.exe	41
PID 2892 wrote to memory of 2768	2892	cmd.exe	41
PID 2892 wrote to memory of 760	2892	cmd.exe	42
PID 2892 wrote to memory of 760	2892	cmd.exe	42
PID 2892 wrote to memory of 760	2892	cmd.exe	42
PID 2892 wrote to memory of 2804	2892	cmd.exe	43
PID 2892 wrote to memory of 2804	2892	cmd.exe	43
PID 2892 wrote to memory of 2804	2892	cmd.exe	43
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2892 wrote to memory of 2544	2892	cmd.exe	45
PID 2892 wrote to memory of 2544	2892	cmd.exe	45
PID 2892 wrote to memory of 2544	2892	cmd.exe	45
PID 2892 wrote to memory of 2460	2892	cmd.exe	46
PID 2892 wrote to memory of 2460	2892	cmd.exe	46
PID 2892 wrote to memory of 2460	2892	cmd.exe	46
PID 2892 wrote to memory of 2776	2892	cmd.exe	47
PID 2892 wrote to memory of 2776	2892	cmd.exe	47
PID 2892 wrote to memory of 2776	2892	cmd.exe	47
PID 2776 wrote to memory of 2092	2776	cmd.exe	48
PID 2776 wrote to memory of 2092	2776	cmd.exe	48
PID 2776 wrote to memory of 2092	2776	cmd.exe	48
PID 2776 wrote to memory of 2224	2776	cmd.exe	49
PID 2776 wrote to memory of 2224	2776	cmd.exe	49
PID 2776 wrote to memory of 2224	2776	cmd.exe	49
PID 2892 wrote to memory of 288	2892	cmd.exe	50
PID 2892 wrote to memory of 288	2892	cmd.exe	50
PID 2892 wrote to memory of 288	2892	cmd.exe	50
PID 2892 wrote to memory of 1668	2892	cmd.exe	51
PID 2892 wrote to memory of 1668	2892	cmd.exe	51
PID 2892 wrote to memory of 1668	2892	cmd.exe	51
PID 2892 wrote to memory of 1660	2892	cmd.exe	52
PID 2892 wrote to memory of 1660	2892	cmd.exe	52
PID 2892 wrote to memory of 1660	2892	cmd.exe	52
PID 2892 wrote to memory of 1996	2892	cmd.exe	53
PID 2892 wrote to memory of 1996	2892	cmd.exe	53
PID 2892 wrote to memory of 1996	2892	cmd.exe	53
PID 1820 wrote to memory of 2824	1820	3f43b9396551277894edec9387907d50_JaffaCakes118.exe	54

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2212	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f43b9396551277894edec9387907d50_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c taskkill /f /im explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x86
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x86
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x86"
      4⤵
      PID:2724
  - - C:\Windows\system32\find.exe
      find "?"
      4⤵
      PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"
      4⤵
      PID:2740
  - - C:\Windows\system32\find.exe
      find /i "\syswow64"
      4⤵
      PID:2784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
      4⤵
      PID:2768
  - - C:\Windows\system32\find.exe
      find "64"
      4⤵
      PID:760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
      4⤵
      PID:2804
  - - C:\Windows\system32\find.exe
      find "32"
      4⤵
      PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x86"
      4⤵
      PID:2544
  - - C:\Windows\system32\find.exe
      find "86"
      4⤵
      PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "86_microsoft"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""
        5⤵
        
        PID:2092
    - - C:\Windows\system32\find.exe
        
        find /i "86_microsoft"
        5⤵
        
        PID:2224
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\SysWOW64\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:288
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\SysWOW64\slmgr.vbs"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1668
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\SysWOW64\slmgr.vbs" /grant *s-1-1-0:f
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1660
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\SysWOW64" /restore "C:\Users\Admin\AppData\Local\Temp\f1449231836.acl"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c start /w /min %WINDIR%\MBR\sfix slmgr.vbs x64
  2⤵
  PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Windows\MBR\sfix slmgr.vbs x64
    3⤵
    - Drops file in System32 directory
    PID:884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs x64"
      4⤵
      PID:2660
  - - C:\Windows\system32\find.exe
      find "?"
      4⤵
      PID:2764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.slmgr.vbs"
      4⤵
      PID:2828
  - - C:\Windows\system32\find.exe
      find /i "\syswow64"
      4⤵
      PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
      4⤵
      PID:1384
  - - C:\Windows\system32\find.exe
      find "64"
      4⤵
      PID:1160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
      4⤵
      PID:3052
  - - C:\Windows\system32\find.exe
      find "32"
      4⤵
      PID:2304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo.x64"
      4⤵
      PID:2240
  - - C:\Windows\system32\find.exe
      find "86"
      4⤵
      PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir /s /b "C:\Windows\winsxs\slmgr.vbs"|find /i "64_microsoft"
      4⤵
      PID:2160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir /s /b "C:\Windows\winsxs\slmgr.vbs""
        5⤵
        
        PID:2584
    - - C:\Windows\system32\find.exe
        
        find /i "64_microsoft"
        5⤵
        
        PID:2604
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\slmgr.vbs" /save "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2612
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\slmgr.vbs"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\slmgr.vbs" /grant *s-1-1-0:f
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1340
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32" /restore "C:\Users\Admin\AppData\Local\Temp\f1459026608.acl"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c IF EXIST %WINDIR%\System32\Wat\WatAdminSvc.exe START %WINDIR%\System32\Wat\WatAdminSvc.exe /run
  2⤵
  PID:1036
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS*.* ATTRIB +A -H -R -S %WINDIR%\System32\DRIVERS\ETC\HOSTS*.*
  2⤵
  PID:2400
- - C:\Windows\system32\attrib.exe
    ATTRIB +A -H -R -S C:\Windows\System32\DRIVERS\ETC\HOSTS*.*
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:2212
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD DEL %WINDIR%\System32\DRIVERS\ETC\HOSTS.OLD
  2⤵
  PID:888
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\HOSTS REN %WINDIR%\System32\DRIVERS\ETC\HOSTS HOSTS.OLD
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c IF EXIST %WINDIR%\System32\DRIVERS\ETC\NUL COPY /Y %WINDIR%\MBR\HOSTS %WINDIR%\System32\DRIVERS\ETC
  2⤵
  - Drops file in Drivers directory
  PID:2320
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c %WINDIR%\MBR\bootsect.exe /nt60 SYS /mbr /force
  2⤵
  PID:2044
- - C:\Windows\MBR\bootsect.exe
    C:\Windows\MBR\bootsect.exe /nt60 SYS /mbr /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2204
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
  2⤵
  PID:2640
- - C:\Windows\system32\cscript.exe
    cscript C:\Windows\System32\slmgr.vbs -ipk D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c %WINDIR%\System32\bcdedit -set testsigning off
  2⤵
  PID:616
- - C:\Windows\System32\bcdedit.exe
    C:\Windows\System32\bcdedit -set testsigning off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:940
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rundll32 slc.dll,SLReArmWindows
  2⤵
  PID:2620
- - C:\Windows\system32\rundll32.exe
    rundll32 slc.dll,SLReArmWindows
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c cscript %WINDIR%\System32\slmgr.vbs -rearm
  2⤵
  PID:1868
- - C:\Windows\system32\cscript.exe
    cscript C:\Windows\System32\slmgr.vbs -rearm
    3⤵
    PID:400
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F
  2⤵
  PID:2244
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1548
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\sppcomapi.dll /grant *S-1-1-0:F
  2⤵
  PID:1556
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\sppcomapi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1704
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\sppcommdlg.dll /grant *S-1-1-0:F
  2⤵
  PID:1652
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\sppcommdlg.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2024
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\sppcext.dll /grant *S-1-1-0:F
  2⤵
  PID:2628
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\sppcext.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1044
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\slui.exe /grant *S-1-1-0:F
  2⤵
  PID:1248
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\slui.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1092
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F
  2⤵
  PID:2484
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Wat\npWatWeb.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1048
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
  2⤵
  PID:1480
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1552
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\Wat\WatUX.exe /grant *S-1-1-0:F
  2⤵
  PID:1740
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Wat\WatUX.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2260
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\Wat\WatWeb.dll /grant *S-1-1-0:F
  2⤵
  PID:2532
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Wat\WatWeb.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2340
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c icacls %WINDIR%\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
  2⤵
  PID:1512
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Wat\WatAdminSvc.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1872
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c start /wait /min sfc /scannow
  2⤵
  PID:2288
- - C:\Windows\system32\sfc.exe
    sfc /scannow
    3⤵
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact