Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
-
Size
93KB
-
MD5
1d499ca722b1d20f4f77ead9224b30c9
-
SHA1
adcc862f2657a6474d7e7cc1bb5f7befc863e7ec
-
SHA256
454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84
-
SHA512
0aa0552fcf30f55575076bc12a7a551a84319e3b4de904189d38d75fd14043891468cc5c52416cbdb650bf7b043c8a5763817f593f48ce43b094e653a4e6e410
-
SSDEEP
1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfkw0P3ry:n7DhdC6kzWypvaQ0FxyNTBfk3O
Malware Config
Signatures
-
Possible privilege escalation attempt 36 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 624 icacls.exe 2688 takeown.exe 1584 icacls.exe 400 takeown.exe 1984 takeown.exe 3268 takeown.exe 3076 icacls.exe 4104 takeown.exe 536 icacls.exe 4000 takeown.exe 1152 icacls.exe 3912 icacls.exe 4088 icacls.exe 4480 takeown.exe 1012 icacls.exe 1492 takeown.exe 1316 icacls.exe 820 takeown.exe 1288 icacls.exe 4416 takeown.exe 3324 icacls.exe 1404 takeown.exe 5048 icacls.exe 2776 takeown.exe 2740 takeown.exe 2588 icacls.exe 2400 icacls.exe 1368 icacls.exe 4648 takeown.exe 1940 icacls.exe 3060 takeown.exe 2468 takeown.exe 1412 icacls.exe 828 takeown.exe 4836 takeown.exe 1820 icacls.exe -
Modifies file permissions 1 TTPs 36 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1288 icacls.exe 1368 icacls.exe 1584 icacls.exe 1412 icacls.exe 820 takeown.exe 1984 takeown.exe 1152 icacls.exe 3060 takeown.exe 1492 takeown.exe 4648 takeown.exe 1012 icacls.exe 2400 icacls.exe 3324 icacls.exe 2688 takeown.exe 400 takeown.exe 1940 icacls.exe 624 icacls.exe 2776 takeown.exe 2740 takeown.exe 4836 takeown.exe 1404 takeown.exe 1820 icacls.exe 3912 icacls.exe 3268 takeown.exe 4104 takeown.exe 2588 icacls.exe 4416 takeown.exe 2468 takeown.exe 1316 icacls.exe 4480 takeown.exe 828 takeown.exe 3076 icacls.exe 536 icacls.exe 4000 takeown.exe 5048 icacls.exe 4088 icacls.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Boot\PCAT\et-EE\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\ru-RU\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\cs-CZ\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\fi-FI\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\hu-HU\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\tr-TR\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\cht_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\Fonts\segoen_slboot.ttf cmd.exe File opened for modification C:\Windows\Boot\Fonts\msjhn_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\EFI\hr-HR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\chs_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\ja-JP\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\zh-TW\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\fi-FI\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_02_1af4.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\el-GR\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\fr-FR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\nl-NL\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\en-GB\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\en-US\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\et-EE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\zh-TW\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\kor_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\Fonts\malgun_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\es-ES\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\Resources\fr-FR\bootres.dll.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\en-US\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\nb-NO\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\pl-PL\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\pt-PT\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\el-GR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ru-RU\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\it-IT\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\Resources\ja-JP\bootres.dll.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\it-IT\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\sr-Latn-RS\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\en-US\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\fi-FI\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\en-US\efisys.bin cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_07_1415.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\zh-TW\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_02_8086.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\ja-JP\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD cmd.exe File opened for modification C:\Windows\Boot\EFI\ko-KR\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\qps-ploc\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\fr-FR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\Fonts\msyhn_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\nl-NL\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\pt-BR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\en-GB\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\pt-BR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\EFI\pl-PL\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\winsipolicy.p7b cmd.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4480 takeown.exe Token: SeTakeOwnershipPrivilege 3268 takeown.exe Token: SeTakeOwnershipPrivilege 4104 takeown.exe Token: SeTakeOwnershipPrivilege 2740 takeown.exe Token: SeTakeOwnershipPrivilege 4836 takeown.exe Token: SeTakeOwnershipPrivilege 4416 takeown.exe Token: SeTakeOwnershipPrivilege 3060 takeown.exe Token: SeTakeOwnershipPrivilege 4000 takeown.exe Token: SeTakeOwnershipPrivilege 2468 takeown.exe Token: SeTakeOwnershipPrivilege 2688 takeown.exe Token: SeTakeOwnershipPrivilege 1404 takeown.exe Token: SeTakeOwnershipPrivilege 1984 takeown.exe Token: SeTakeOwnershipPrivilege 400 takeown.exe Token: SeTakeOwnershipPrivilege 4648 takeown.exe Token: SeTakeOwnershipPrivilege 828 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.execmd.exedescription pid process target process PID 2312 wrote to memory of 5052 2312 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 2312 wrote to memory of 5052 2312 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe cmd.exe PID 5052 wrote to memory of 4480 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 4480 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 624 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 624 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2776 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2776 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1012 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1012 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3268 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 3268 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 3076 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3076 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 4104 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 4104 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1288 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1288 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2740 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2740 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2588 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2588 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 4836 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 4836 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2400 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2400 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 4416 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 4416 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1152 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1152 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3060 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 3060 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 536 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 536 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 4000 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 4000 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1368 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1368 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2468 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2468 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 3324 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3324 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 2688 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 2688 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1584 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1584 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1404 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1404 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1412 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1412 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1492 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1492 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1316 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1316 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 820 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 820 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1820 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1820 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1984 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 1984 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 3912 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3912 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 400 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 400 5052 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Windows\Boot"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Boot" /t /c /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\bfsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\SHELL.DLL"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\kernel32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\advapi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\user32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\gdi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\win32k.sys"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntdll.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ANSI.SYS"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\hall.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Users\Public"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Users\Public" /t /c /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\Boot\winload.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\avicap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\avicap.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\COMMDLG.DLL"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System\keyboard.drv"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.batFilesize
3KB
MD5411b15479e88b188dc741f7f83eda07e
SHA11c2d076c497dd21f31d6cfb839fe809c6374ab70
SHA256e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a
SHA512fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94