Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
Resource
win10v2004-20241007-en
General
-
Target
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
-
Size
409KB
-
MD5
b23232263d0ff718419df3180d3d8670
-
SHA1
194d700b79d7ffa681aaad1fd5010d788a4713ee
-
SHA256
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781
-
SHA512
7c478b9cf4556539d8cd2a9165d11558a9957f7dc9ae25bd2380c02fa01e37061b6e5717d978eae87e7b074524b390d7f6a78d238240e3e1ffc45a259227c553
-
SSDEEP
6144:YQMmbjV28okoS4oImBvIEtTawRbvbKw4IPCFRvzvU+Yrw:YWoioS/Z6H
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 40 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 2260 icacls.exe 2748 takeown.exe 756 icacls.exe 2592 icacls.exe 2116 icacls.exe 2972 takeown.exe 1672 takeown.exe 2988 icacls.exe 2784 takeown.exe 1572 takeown.exe 1092 takeown.exe 1972 takeown.exe 840 icacls.exe 584 takeown.exe 2288 takeown.exe 2984 takeown.exe 2744 icacls.exe 2876 takeown.exe 2996 takeown.exe 2628 icacls.exe 2836 icacls.exe 1884 icacls.exe 2720 icacls.exe 2888 icacls.exe 2776 takeown.exe 2780 takeown.exe 2956 takeown.exe 3064 icacls.exe 1292 icacls.exe 2732 takeown.exe 2812 icacls.exe 2716 takeown.exe 2832 icacls.exe 2240 icacls.exe 2868 takeown.exe 1748 icacls.exe 2400 takeown.exe 1964 icacls.exe 780 icacls.exe 1832 takeown.exe -
Modifies file permissions 1 TTPs 40 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 2732 takeown.exe 2956 takeown.exe 1572 takeown.exe 2288 takeown.exe 1092 takeown.exe 1884 icacls.exe 2812 icacls.exe 2832 icacls.exe 1748 icacls.exe 2836 icacls.exe 1972 takeown.exe 2972 takeown.exe 840 icacls.exe 2984 takeown.exe 2592 icacls.exe 3064 icacls.exe 2776 takeown.exe 2784 takeown.exe 2996 takeown.exe 1672 takeown.exe 584 takeown.exe 1832 takeown.exe 2400 takeown.exe 1292 icacls.exe 2720 icacls.exe 2888 icacls.exe 2260 icacls.exe 2748 takeown.exe 2988 icacls.exe 2876 takeown.exe 2868 takeown.exe 2116 icacls.exe 756 icacls.exe 2744 icacls.exe 2628 icacls.exe 1964 icacls.exe 2780 takeown.exe 2716 takeown.exe 2240 icacls.exe 780 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe BATCF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Drops file in System32 directory 1 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process File created C:\Windows\SysWOW64\msinfo32.exe ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe JPGIF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe JPGIF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe VBSSF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe RTFDF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe HTMWF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe BATCF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe CMDSF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe JPGIF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe JPGIF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exepid process 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Token: SeTakeOwnershipPrivilege 1972 takeown.exe Token: SeTakeOwnershipPrivilege 2400 takeown.exe Token: SeTakeOwnershipPrivilege 1832 takeown.exe Token: SeTakeOwnershipPrivilege 1572 takeown.exe Token: SeTakeOwnershipPrivilege 2780 takeown.exe Token: SeTakeOwnershipPrivilege 2748 takeown.exe Token: SeTakeOwnershipPrivilege 2732 takeown.exe Token: SeTakeOwnershipPrivilege 584 takeown.exe Token: SeTakeOwnershipPrivilege 2716 takeown.exe Token: SeTakeOwnershipPrivilege 2996 takeown.exe Token: SeTakeOwnershipPrivilege 2776 takeown.exe Token: SeTakeOwnershipPrivilege 2956 takeown.exe Token: SeTakeOwnershipPrivilege 2784 takeown.exe Token: SeTakeOwnershipPrivilege 2984 takeown.exe Token: SeTakeOwnershipPrivilege 2972 takeown.exe Token: SeTakeOwnershipPrivilege 1672 takeown.exe Token: SeTakeOwnershipPrivilege 2876 takeown.exe Token: SeTakeOwnershipPrivilege 2868 takeown.exe Token: SeTakeOwnershipPrivilege 2288 takeown.exe Token: SeTakeOwnershipPrivilege 1092 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription pid process target process PID 3020 wrote to memory of 2516 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 2516 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 2516 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 1728 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 1728 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 1728 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 3020 wrote to memory of 1972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 1972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 1972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2116 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2116 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2116 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2400 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2400 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2400 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 1292 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 1292 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 1292 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2972 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2260 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2260 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2260 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2732 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2732 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2732 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 1964 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 1964 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 1964 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2776 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2776 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2776 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 840 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 840 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 840 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2748 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2748 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2748 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2988 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2988 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2988 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2784 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2784 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2784 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 756 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 756 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 756 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2780 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2780 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2780 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2812 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2812 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2812 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2996 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2996 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2996 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2720 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2720 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2720 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 3020 wrote to memory of 2984 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2984 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2984 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 3020 wrote to memory of 2744 3020 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe"C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe"1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2516 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1728 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1292 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\hh.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2260 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:840 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\write.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2988 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2812 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2744 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2628 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2888 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2832 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2592 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2240 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3064 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:780 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2836 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1884
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD50df947b73c872296ea1dfc0edb053a63
SHA1a4ac1ff54d2d2bd64e1b20fbecd6ea17bbd82c3b
SHA2565f6b42abf6814fa58d2b44bec6899d173394c6a41536565deb93b20440f3b7d8
SHA5126285d77529396d350de859f71529cd2abd15f31ce9498321b9bcb425a8f69ecbaab5681546211d870670c991176d3ae930dce2b515db0a8f133e058ca013c76a