e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d

General

Target

e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
Size

72KB
MD5

0a0b8feecd353748e99aa8e920dc45b0
SHA1

35b5f1492c3508b0e5dd218befedbd1bbb01391c
SHA256

e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d
SHA512

0b3adaf3e69fd0ca68a555f326601cc61a39553162a0b810eef6e1ad6bde4c892d1a6d8c2bdaf3323589161ead6158dabb0de6b5674ed12198688c8754f32d85
SSDEEP

1536:7IRI+tLOd1NfqA5GdXZpkL40fHc2kbpE5WK99BLodcnPoX:7/oU35GdppkL40fHc2kbpE5WK99BLodd

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
1096	icacls.exe
4596	icacls.exe
1356	icacls.exe
1712	icacls.exe
1972	icacls.exe
3040	icacls.exe
1824	icacls.exe
3808	icacls.exe
4032	takeown.exe
4620	takeown.exe
1072	icacls.exe
2396	takeown.exe
4848	icacls.exe
4396	takeown.exe
1952	takeown.exe
368	icacls.exe
3956	takeown.exe
4176	takeown.exe
2960	takeown.exe
1980	icacls.exe
1836	takeown.exe
3492	icacls.exe
3908	takeown.exe
1192	takeown.exe
2412	takeown.exe
2016	takeown.exe
4924	icacls.exe
4380	icacls.exe
2236	takeown.exe
4620	icacls.exe
4112	takeown.exe
2604	icacls.exe
3548	takeown.exe
1756	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4112	takeown.exe
4848	icacls.exe
4620	icacls.exe
3956	takeown.exe
4396	takeown.exe
4176	takeown.exe
4032	takeown.exe
1952	takeown.exe
2396	takeown.exe
3040	icacls.exe
4924	icacls.exe
3908	takeown.exe
368	icacls.exe
2960	takeown.exe
2604	icacls.exe
1980	icacls.exe
1072	icacls.exe
3492	icacls.exe
2016	takeown.exe
2412	takeown.exe
4596	icacls.exe
3548	takeown.exe
1836	takeown.exe
1356	icacls.exe
1824	icacls.exe
4620	takeown.exe
2236	takeown.exe
1192	takeown.exe
1756	takeown.exe
4380	icacls.exe
1712	icacls.exe
1972	icacls.exe
3808	icacls.exe
1096	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
File created	C:\Windows\SysWOW64\qqfs.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
File opened for modification	C:\Windows\SysWOW64\qqfs.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2960	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	1192	takeown.exe
Token: SeTakeOwnershipPrivilege	3548	takeown.exe
Token: SeTakeOwnershipPrivilege	1756	takeown.exe
Token: SeTakeOwnershipPrivilege	3956	takeown.exe
Token: SeTakeOwnershipPrivilege	4620	takeown.exe
Token: SeTakeOwnershipPrivilege	2236	takeown.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	2016	takeown.exe
Token: SeTakeOwnershipPrivilege	4396	takeown.exe
Token: SeTakeOwnershipPrivilege	4176	takeown.exe
Token: SeTakeOwnershipPrivilege	3908	takeown.exe
Token: SeTakeOwnershipPrivilege	4032	takeown.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

pid process

1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

pid	process
1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe

description	pid	process	target process
PID 1412 wrote to memory of 4112	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4112	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4112	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 368	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 368	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 368	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2960	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2960	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2960	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2604	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2604	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2604	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2396	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2396	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2396	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1356	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1356	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1356	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1192	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1192	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1192	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1824	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1824	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1824	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 3548	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 3548	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 3548	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4848	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 4848	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 4848	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1756	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1756	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1756	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1980	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1980	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1980	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 3956	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 3956	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 3956	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4380	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 4380	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 4380	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 4620	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4620	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 4620	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1712	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1712	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1712	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2236	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2236	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2236	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1072	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1072	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1072	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 2412	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2412	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 2412	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1972	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1972	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1972	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe
PID 1412 wrote to memory of 1836	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1836	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 1836	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	takeown.exe
PID 1412 wrote to memory of 3492	1412	e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
"C:\Users\Admin\AppData\Local\Temp\e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\qqfs.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4112

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\qqfs.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:368

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2604

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1356

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1824

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4848

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1980

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1972

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3492

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3040

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4620

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3808

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1096

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qqfs.exe
Filesize
72KB

MD5
0a0b8feecd353748e99aa8e920dc45b0

SHA1
35b5f1492c3508b0e5dd218befedbd1bbb01391c

SHA256
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d

SHA512
0b3adaf3e69fd0ca68a555f326601cc61a39553162a0b810eef6e1ad6bde4c892d1a6d8c2bdaf3323589161ead6158dabb0de6b5674ed12198688c8754f32d85

Download Submit
memory/368-136-0x0000000000000000-mapping.dmp

Download
memory/1072-152-0x0000000000000000-mapping.dmp

Download
memory/1096-166-0x0000000000000000-mapping.dmp

Download
memory/1192-141-0x0000000000000000-mapping.dmp

Download
memory/1356-140-0x0000000000000000-mapping.dmp

Download
memory/1712-150-0x0000000000000000-mapping.dmp

Download
memory/1756-145-0x0000000000000000-mapping.dmp

Download
memory/1824-142-0x0000000000000000-mapping.dmp

Download
memory/1836-155-0x0000000000000000-mapping.dmp

Download
memory/1952-167-0x0000000000000000-mapping.dmp

Download
memory/1972-154-0x0000000000000000-mapping.dmp

Download
memory/1980-146-0x0000000000000000-mapping.dmp

Download
memory/2016-157-0x0000000000000000-mapping.dmp

Download
memory/2236-151-0x0000000000000000-mapping.dmp

Download
memory/2396-139-0x0000000000000000-mapping.dmp

Download
memory/2412-153-0x0000000000000000-mapping.dmp

Download
memory/2604-138-0x0000000000000000-mapping.dmp

Download
memory/2960-137-0x0000000000000000-mapping.dmp

Download
memory/3040-158-0x0000000000000000-mapping.dmp

Download
memory/3492-156-0x0000000000000000-mapping.dmp

Download
memory/3548-143-0x0000000000000000-mapping.dmp

Download
memory/3808-164-0x0000000000000000-mapping.dmp

Download
memory/3908-163-0x0000000000000000-mapping.dmp

Download
memory/3956-147-0x0000000000000000-mapping.dmp

Download
memory/4032-165-0x0000000000000000-mapping.dmp

Download
memory/4112-134-0x0000000000000000-mapping.dmp

Download
memory/4176-161-0x0000000000000000-mapping.dmp

Download
memory/4380-148-0x0000000000000000-mapping.dmp

Download
memory/4396-159-0x0000000000000000-mapping.dmp

Download
memory/4596-168-0x0000000000000000-mapping.dmp

Download
memory/4620-160-0x0000000000000000-mapping.dmp

Download
memory/4620-149-0x0000000000000000-mapping.dmp

Download
memory/4848-144-0x0000000000000000-mapping.dmp

Download
memory/4924-162-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads