Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
Resource
win10v2004-20241007-en
General
-
Target
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
-
Size
125KB
-
MD5
a293e528bd51b9d91da21e8cbfa8e5f5
-
SHA1
c82ecf0733270f0807cb86bad5e1c0126284fd62
-
SHA256
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5
-
SHA512
9223707eff3ac89eef7aed38d761926d4d17fafb1ff302ee35e5940fe30a3a7f478d5d59bb3c4864f4c25f2b34af2e769cea298826fdfe65f0c62009e879c020
-
SSDEEP
3072:6KnT6V9P0IbarstiLniYqANZcfBuydIvRuX1FH4zUFluD:6m6VunedBuydVFH4zUF
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepid process 2312 powershell.exe 1964 powershell.exe 2940 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3052 netsh.exe -
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2692 takeown.exe 2544 icacls.exe 2572 icacls.exe 1764 icacls.exe 1380 icacls.exe 2628 takeown.exe 2668 icacls.exe 2516 icacls.exe 1648 icacls.exe 2612 icacls.exe 2784 icacls.exe 3008 icacls.exe 3012 icacls.exe 380 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1764 icacls.exe 1380 icacls.exe 3012 icacls.exe 3008 icacls.exe 2516 icacls.exe 2612 icacls.exe 2784 icacls.exe 2544 icacls.exe 2668 icacls.exe 2572 icacls.exe 1648 icacls.exe 2692 takeown.exe 2628 takeown.exe 380 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exedescription ioc process File created C:\Windows\SysWOW64\ksuser.dll 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe File opened for modification C:\Windows\SysWOW64\ksuser.dll 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe -
Drops file in Windows directory 1 IoCs
Processes:
Dism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exepowershell.exenetsh.exetakeown.exeicacls.exeicacls.execmd.exepowershell.exeicacls.exeicacls.exeicacls.exeDism.exetakeown.exeicacls.exeicacls.execmd.execmd.exepowershell.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dism.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2312 powershell.exe 2940 powershell.exe 1964 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exetakeown.exetakeown.exeicacls.exeicacls.exedescription pid process Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 2628 takeown.exe Token: SeRestorePrivilege 2544 icacls.exe Token: SeRestorePrivilege 1648 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2204 wrote to memory of 2280 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2280 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2280 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2280 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2280 wrote to memory of 2312 2280 cmd.exe powershell.exe PID 2280 wrote to memory of 2312 2280 cmd.exe powershell.exe PID 2280 wrote to memory of 2312 2280 cmd.exe powershell.exe PID 2280 wrote to memory of 2312 2280 cmd.exe powershell.exe PID 2204 wrote to memory of 1968 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 1968 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 1968 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 1968 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 1968 wrote to memory of 2940 1968 cmd.exe powershell.exe PID 1968 wrote to memory of 2940 1968 cmd.exe powershell.exe PID 1968 wrote to memory of 2940 1968 cmd.exe powershell.exe PID 1968 wrote to memory of 2940 1968 cmd.exe powershell.exe PID 2204 wrote to memory of 2248 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2248 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2248 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2248 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2248 wrote to memory of 1964 2248 cmd.exe powershell.exe PID 2248 wrote to memory of 1964 2248 cmd.exe powershell.exe PID 2248 wrote to memory of 1964 2248 cmd.exe powershell.exe PID 2248 wrote to memory of 1964 2248 cmd.exe powershell.exe PID 2204 wrote to memory of 2120 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2120 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2120 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2120 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2120 wrote to memory of 3052 2120 cmd.exe netsh.exe PID 2120 wrote to memory of 3052 2120 cmd.exe netsh.exe PID 2120 wrote to memory of 3052 2120 cmd.exe netsh.exe PID 2120 wrote to memory of 3052 2120 cmd.exe netsh.exe PID 2204 wrote to memory of 2644 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2644 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2644 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2204 wrote to memory of 2644 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2644 wrote to memory of 2688 2644 cmd.exe Dism.exe PID 2644 wrote to memory of 2688 2644 cmd.exe Dism.exe PID 2644 wrote to memory of 2688 2644 cmd.exe Dism.exe PID 2644 wrote to memory of 2688 2644 cmd.exe Dism.exe PID 2204 wrote to memory of 2692 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2692 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2692 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2692 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2628 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2628 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2628 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2628 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 2204 wrote to memory of 2612 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2612 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2612 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2612 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2784 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2784 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2784 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2784 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 3008 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 3008 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 3008 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 3008 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2544 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2544 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2544 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 2204 wrote to memory of 2544 2204 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe"C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dism /Online /enable-feature /FeatureName:"DirectPlay" /All2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dism.exedism /Online /enable-feature /FeatureName:"DirectPlay" /All3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant Administrators:(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant "Admin":(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:380
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5318bbadca4bbe9f6dd12cea2d215b449
SHA1bbeb5e53d2e690b74f74c2e2479a77cb492eaded
SHA2568d8c0c7f340d5321884913f1f7877303d324237e41992c5739e31aa7f0db7f1e
SHA512f3032f51611a6b3f44c3c0a6320d6d9d030ac533c3fad394442620158091b92bf28af4e34ce6b1f92eb0507baa1e55644019432124af1bb0108952391e8762b5
-
Filesize
118KB
MD5d5f3ecad923278e96bbbb6796f0bbca5
SHA19c54ba7de2d02306e3fcfa949163f10086c3ca3b
SHA256447ae50e3e916b31ca861c97e9aab69301cec7ac9f1e527c07048ea7cba81807
SHA5129c27b05c497ba2662b93092d848c02ae3cadc8096618df488371be03859dc701e3d167745507b23a017c4d35b96cf285642af75f13ee749bafa891d25c671e5a