fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6

General

Target

fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
Size

68KB
MD5

0d0d544e4f10081806e7afe1f4aba1d6
SHA1

63f611feffb11ba7bbb415742ea0f405c0f2adf1
SHA256

fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6
SHA512

f06ed1e3f3f88ff805641bedab4ee1b3f2fb8f0f70224aea086bf0772cea88e97da69dc54487d4bbb05c7bbf03281c428ffe5e6bf2e9796a5041d6e3edcab412
SSDEEP

768:GibQIp1fB4vOfPe1y8egD9OgKnjM+JqW7tQ8GrBmSODbyR4kILpXrCK8IOqe2VXy:jbQIs90j128GrB7OnyR4T8IOj2ly

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4188	takeown.exe
3220	takeown.exe
3968	icacls.exe
3552	icacls.exe
4644	icacls.exe
2588	takeown.exe
2684	takeown.exe
1208	takeown.exe
3436	takeown.exe
3572	icacls.exe
680	icacls.exe
4132	icacls.exe
5012	icacls.exe
2272	icacls.exe
3548	takeown.exe
1224	takeown.exe
3920	icacls.exe
1520	icacls.exe
4724	takeown.exe
1416	takeown.exe
4532	takeown.exe
4016	icacls.exe
2604	takeown.exe
1232	takeown.exe
232	icacls.exe
5060	icacls.exe
332	icacls.exe
4344	takeown.exe
3596	takeown.exe
2128	icacls.exe
4220	icacls.exe
4444	takeown.exe
996	icacls.exe
3384	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
3220	takeown.exe
1520	icacls.exe
4344	takeown.exe
3596	takeown.exe
4644	icacls.exe
4220	icacls.exe
4444	takeown.exe
332	icacls.exe
5012	icacls.exe
2128	icacls.exe
4132	icacls.exe
1208	takeown.exe
4188	takeown.exe
3920	icacls.exe
996	icacls.exe
680	icacls.exe
232	icacls.exe
4016	icacls.exe
3968	icacls.exe
2272	icacls.exe
3436	takeown.exe
3572	icacls.exe
3384	takeown.exe
2684	takeown.exe
5060	icacls.exe
2604	takeown.exe
4724	takeown.exe
1416	takeown.exe
3552	icacls.exe
2588	takeown.exe
4532	takeown.exe
1232	takeown.exe
3548	takeown.exe
1224	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

description	ioc	process
File created	C:\Windows\SysWOW64\lnjc.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
File opened for modification	C:\Windows\SysWOW64\lnjc.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	4532	takeown.exe
Token: SeTakeOwnershipPrivilege	4188	takeown.exe
Token: SeTakeOwnershipPrivilege	3548	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	1224	takeown.exe
Token: SeTakeOwnershipPrivilege	3220	takeown.exe
Token: SeTakeOwnershipPrivilege	3436	takeown.exe
Token: SeTakeOwnershipPrivilege	3384	takeown.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	1232	takeown.exe
Token: SeTakeOwnershipPrivilege	4724	takeown.exe
Token: SeTakeOwnershipPrivilege	1208	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	4344	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

pid process

3284 fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

pid	process
3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe

description	pid	process	target process
PID 3284 wrote to memory of 2588	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2588	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2588	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2128	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 2128	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 2128	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 2684	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2684	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2684	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4532	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4532	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4532	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4132	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4132	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4132	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4188	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4188	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4188	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 232	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 232	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 232	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3548	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3548	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3548	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 5060	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 5060	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 5060	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4444	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4444	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4444	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 4016	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4016	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 4016	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 1224	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 1224	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 1224	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3920	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3920	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3920	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3220	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 996	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 996	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 996	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3436	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3436	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3436	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 332	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 332	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 332	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 3384	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3384	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3384	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 5012	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 5012	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 5012	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe
PID 3284 wrote to memory of 2604	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2604	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 2604	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	takeown.exe
PID 3284 wrote to memory of 3572	3284	fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe
"C:\Users\Admin\AppData\Local\Temp\fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\lnjc.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2588

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\lnjc.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2128

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:232

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5060

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4016

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3920

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:996

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:332

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5012

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3572

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3968

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:680

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2272

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3552

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lnjc.exe
Filesize
68KB

MD5
0d0d544e4f10081806e7afe1f4aba1d6

SHA1
63f611feffb11ba7bbb415742ea0f405c0f2adf1

SHA256
fa2666928980d3f0f655b252e41cd4c57399aa368a5e6f9d57282c5440dd6fa6

SHA512
f06ed1e3f3f88ff805641bedab4ee1b3f2fb8f0f70224aea086bf0772cea88e97da69dc54487d4bbb05c7bbf03281c428ffe5e6bf2e9796a5041d6e3edcab412

Download Submit
memory/232-142-0x0000000000000000-mapping.dmp

Download
memory/332-152-0x0000000000000000-mapping.dmp

Download
memory/680-162-0x0000000000000000-mapping.dmp

Download
memory/996-150-0x0000000000000000-mapping.dmp

Download
memory/1208-161-0x0000000000000000-mapping.dmp

Download
memory/1224-147-0x0000000000000000-mapping.dmp

Download
memory/1232-157-0x0000000000000000-mapping.dmp

Download
memory/1416-163-0x0000000000000000-mapping.dmp

Download
memory/1520-158-0x0000000000000000-mapping.dmp

Download
memory/2128-136-0x0000000000000000-mapping.dmp

Download
memory/2272-164-0x0000000000000000-mapping.dmp

Download
memory/2588-134-0x0000000000000000-mapping.dmp

Download
memory/2604-155-0x0000000000000000-mapping.dmp

Download
memory/2684-137-0x0000000000000000-mapping.dmp

Download
memory/3220-149-0x0000000000000000-mapping.dmp

Download
memory/3384-153-0x0000000000000000-mapping.dmp

Download
memory/3436-151-0x0000000000000000-mapping.dmp

Download
memory/3548-143-0x0000000000000000-mapping.dmp

Download
memory/3552-166-0x0000000000000000-mapping.dmp

Download
memory/3572-156-0x0000000000000000-mapping.dmp

Download
memory/3596-167-0x0000000000000000-mapping.dmp

Download
memory/3920-148-0x0000000000000000-mapping.dmp

Download
memory/3968-160-0x0000000000000000-mapping.dmp

Download
memory/4016-146-0x0000000000000000-mapping.dmp

Download
memory/4132-140-0x0000000000000000-mapping.dmp

Download
memory/4188-141-0x0000000000000000-mapping.dmp

Download
memory/4220-138-0x0000000000000000-mapping.dmp

Download
memory/4344-165-0x0000000000000000-mapping.dmp

Download
memory/4444-145-0x0000000000000000-mapping.dmp

Download
memory/4532-139-0x0000000000000000-mapping.dmp

Download
memory/4644-168-0x0000000000000000-mapping.dmp

Download
memory/4724-159-0x0000000000000000-mapping.dmp

Download
memory/5012-154-0x0000000000000000-mapping.dmp

Download
memory/5060-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads