be984dcb05ac824b5ffcab2d7c0c2c5f131da0801c8efb93e953a65d71cadd41

Analysis

max time kernel
147s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Size

108KB
MD5

19e46408cdf85c1790728b2ad1e00dec
SHA1

f5c355b93840cb4038852d67611ca7160a5692f3
SHA256

be984dcb05ac824b5ffcab2d7c0c2c5f131da0801c8efb93e953a65d71cadd41
SHA512

641dda503ec23dec97562952d297bac137f0064b47f47837c73f8d42c76e8c4c26f69eae5e0e5bf2653c8ad754f5520460b54d5410cc5c359676cf4415523754
SSDEEP

3072:AxCuqnzsUkYrPHl5dBONYIoriXIrKfiHpI61FFTF:Ax/YrLdBONYH+IrK0I61

Score

8^/10

defense_evasion discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5052 takeown.exe
2876 icacls.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

916 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

916 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5052 takeown.exe
2876 icacls.exe

pid	process
5052	takeown.exe
2876	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe

pid	process
916	regsvr32.exe

pid	process
916	regsvr32.exe

pid	process
5052	takeown.exe
2876	icacls.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 4 IoCs

Processes:

regsvr32.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

regsvr32.exe

pid process

916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe
916 regsvr32.exe

pid	process
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe
916	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

regsvr32.exetakeown.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	916	regsvr32.exe
Token: SeTakeOwnershipPrivilege	5052	takeown.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe
Token: SeSecurityPrivilege	2084	svchost.exe
Token: SeTakeOwnershipPrivilege	2084	svchost.exe
Token: SeLoadDriverPrivilege	2084	svchost.exe
Token: SeSystemtimePrivilege	2084	svchost.exe
Token: SeBackupPrivilege	2084	svchost.exe
Token: SeRestorePrivilege	2084	svchost.exe
Token: SeShutdownPrivilege	2084	svchost.exe
Token: SeSystemEnvironmentPrivilege	2084	svchost.exe
Token: SeUndockPrivilege	2084	svchost.exe
Token: SeManageVolumePrivilege	2084	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2084	svchost.exe
Token: SeIncreaseQuotaPrivilege	2084	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exeregsvr32.exe

description	pid	process	target process
PID 2520 wrote to memory of 916	2520	19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe	regsvr32.exe
PID 2520 wrote to memory of 916	2520	19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe	regsvr32.exe
PID 2520 wrote to memory of 916	2520	19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe	regsvr32.exe
PID 916 wrote to memory of 5052	916	regsvr32.exe	takeown.exe
PID 916 wrote to memory of 5052	916	regsvr32.exe	takeown.exe
PID 916 wrote to memory of 5052	916	regsvr32.exe	takeown.exe
PID 916 wrote to memory of 2876	916	regsvr32.exe	icacls.exe
PID 916 wrote to memory of 2876	916	regsvr32.exe	icacls.exe
PID 916 wrote to memory of 2876	916	regsvr32.exe	icacls.exe
PID 916 wrote to memory of 796	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 796	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 908	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 908	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 956	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 956	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 748	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 748	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1048	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1048	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1056	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1056	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1108	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1108	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1116	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1116	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1156	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1156	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1188	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1188	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1280	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1280	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1320	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1320	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1336	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1336	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1436	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1436	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1460	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1460	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1576	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1576	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1588	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1588	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1632	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1632	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1728	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1728	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1760	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1760	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1772	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1772	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1880	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1880	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2020	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2020	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2028	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2028	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1100	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 1100	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2052	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2052	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2084	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2084	916	regsvr32.exe	svchost.exe
PID 916 wrote to memory of 2196	916	regsvr32.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2⤵
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2788

C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\e5757a5~.tmp ,C:\Users\Admin\AppData\Local\Temp\19e46408cdf85c1790728b2ad1e00dec_JaffaCakes118.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2876

C:\Windows\SysWOW64\cmd.exe
cmd /c del %SystemRoot%\system32\rpcss.dll~*
3⤵
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5757a5~.tmp
Filesize
915KB

MD5
36f922a60f155a6f3559bdb5f85a2701

SHA1
2f3b4b2dd7e66910288d3e932968b21544db8343

SHA256
3077dfd2d02e710597f6b398a9b9c5bb0f797f6ad6c6013ef0e222d6c7b13bbd

SHA512
6567f10e5b426e55e83370593bd62046d63f8c020f83451f72fde08aee5f2f38f480fe1cba5312efd5bb863d81971f60cbd49ba31cf6dbcac55e7fd3cb84947f

Download Submit
C:\Windows\SysWOW64\apa.dll
Filesize
221B

MD5
ff5f253c12dd8373c347b218fc46adf9

SHA1
a42b85049849d001cb83ffab4cefc6edcb863613

SHA256
7a45df2b7128f24e56986db32feedd12694a34cdab9d86cede6f871fe1f9b3e0

SHA512
ca3c5f36d07c75c41c174baaa9d077f336c666c55de7139eda8593f0e95f7d2fa63bde9578cd1defd5fd6f44e53266d0555fac86fd98c1eed00b04db5c845645

Download Submit