Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
Resource
win10v2004-20241007-en
General
-
Target
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe
-
Size
125KB
-
MD5
a293e528bd51b9d91da21e8cbfa8e5f5
-
SHA1
c82ecf0733270f0807cb86bad5e1c0126284fd62
-
SHA256
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5
-
SHA512
9223707eff3ac89eef7aed38d761926d4d17fafb1ff302ee35e5940fe30a3a7f478d5d59bb3c4864f4c25f2b34af2e769cea298826fdfe65f0c62009e879c020
-
SSDEEP
3072:6KnT6V9P0IbarstiLniYqANZcfBuydIvRuX1FH4zUFluD:6m6VunedBuydVFH4zUF
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepid process 2420 powershell.exe 1856 powershell.exe 2812 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2652 netsh.exe -
Possible privilege escalation attempt 14 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 2576 icacls.exe 1876 icacls.exe 1628 icacls.exe 2484 icacls.exe 2612 icacls.exe 536 icacls.exe 2548 icacls.exe 400 icacls.exe 2832 takeown.exe 1996 icacls.exe 1892 icacls.exe 2588 takeown.exe 1128 icacls.exe 1592 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2588 takeown.exe 536 icacls.exe 1128 icacls.exe 2832 takeown.exe 2548 icacls.exe 1628 icacls.exe 2484 icacls.exe 400 icacls.exe 1592 icacls.exe 1892 icacls.exe 2576 icacls.exe 2612 icacls.exe 1876 icacls.exe 1996 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exedescription ioc process File created C:\Windows\SysWOW64\ksuser.dll 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe File opened for modification C:\Windows\SysWOW64\ksuser.dll 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe -
Drops file in Windows directory 1 IoCs
Processes:
Dism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dism.exeicacls.exeicacls.exeicacls.execmd.execmd.exepowershell.exenetsh.exetakeown.exeicacls.exe4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exepowershell.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepowershell.execmd.exetakeown.exeicacls.exeicacls.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dism.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2420 powershell.exe 1856 powershell.exe 2812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exetakeown.exetakeown.exeicacls.exeicacls.exedescription pid process Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 2812 powershell.exe Token: SeTakeOwnershipPrivilege 2832 takeown.exe Token: SeTakeOwnershipPrivilege 2588 takeown.exe Token: SeRestorePrivilege 2548 icacls.exe Token: SeRestorePrivilege 1996 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3044 wrote to memory of 2412 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2412 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2412 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2412 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2412 wrote to memory of 2420 2412 cmd.exe powershell.exe PID 2412 wrote to memory of 2420 2412 cmd.exe powershell.exe PID 2412 wrote to memory of 2420 2412 cmd.exe powershell.exe PID 2412 wrote to memory of 2420 2412 cmd.exe powershell.exe PID 3044 wrote to memory of 2496 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2496 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2496 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2496 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2496 wrote to memory of 1856 2496 cmd.exe powershell.exe PID 2496 wrote to memory of 1856 2496 cmd.exe powershell.exe PID 2496 wrote to memory of 1856 2496 cmd.exe powershell.exe PID 2496 wrote to memory of 1856 2496 cmd.exe powershell.exe PID 3044 wrote to memory of 2800 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2800 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2800 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2800 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2800 wrote to memory of 2812 2800 cmd.exe powershell.exe PID 2800 wrote to memory of 2812 2800 cmd.exe powershell.exe PID 2800 wrote to memory of 2812 2800 cmd.exe powershell.exe PID 2800 wrote to memory of 2812 2800 cmd.exe powershell.exe PID 3044 wrote to memory of 2932 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2932 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2932 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2932 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2932 wrote to memory of 2652 2932 cmd.exe netsh.exe PID 2932 wrote to memory of 2652 2932 cmd.exe netsh.exe PID 2932 wrote to memory of 2652 2932 cmd.exe netsh.exe PID 2932 wrote to memory of 2652 2932 cmd.exe netsh.exe PID 3044 wrote to memory of 2560 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2560 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2560 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 3044 wrote to memory of 2560 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe cmd.exe PID 2560 wrote to memory of 2868 2560 cmd.exe Dism.exe PID 2560 wrote to memory of 2868 2560 cmd.exe Dism.exe PID 2560 wrote to memory of 2868 2560 cmd.exe Dism.exe PID 2560 wrote to memory of 2868 2560 cmd.exe Dism.exe PID 3044 wrote to memory of 2832 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2832 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2832 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2832 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2588 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2588 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2588 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2588 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe takeown.exe PID 3044 wrote to memory of 2576 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2576 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2576 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2576 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2612 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2612 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2612 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2612 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 536 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 536 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 536 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 536 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2548 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2548 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2548 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe PID 3044 wrote to memory of 2548 3044 4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe"C:\Users\Admin\AppData\Local\Temp\4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dism /Online /enable-feature /FeatureName:"DirectPlay" /All2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Dism.exedism /Online /enable-feature /FeatureName:"DirectPlay" /All3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant Administrators:(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant "Admin":(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1892
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59097a720cc51c72f6bb72c9ca5e1d356
SHA1bf7e0aa6735a280d24e7641fe498b6f6f663f381
SHA2567bf26e1e8abe4f3a205274e8be18b942770dc1aa11deea3dba9dd20178d55952
SHA5126f543364c015523665599117410173b905ea2326ff0c7fd6d308dde08b6e5579e38b454d0e8594e9f8d5fbc059ccdc5988744ae3efdc08f5dc95aa0f643da44e
-
Filesize
118KB
MD5d5f3ecad923278e96bbbb6796f0bbca5
SHA19c54ba7de2d02306e3fcfa949163f10086c3ca3b
SHA256447ae50e3e916b31ca861c97e9aab69301cec7ac9f1e527c07048ea7cba81807
SHA5129c27b05c497ba2662b93092d848c02ae3cadc8096618df488371be03859dc701e3d167745507b23a017c4d35b96cf285642af75f13ee749bafa891d25c671e5a