738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec

General

Target

738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
Size

72KB
MD5

0523877c4a35b31b83ed89f02709f550
SHA1

203e66c8236287fa259d82806ef18f217efedc02
SHA256

738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec
SHA512

d2d380bca2fd249a8e50e2cba20419b78a65607325c7259671fa4bcdb68817bd3d6c9a7e0169bb72ebd02a47fdf0d37747ac3307bdcdf1a2abbe6b30419c8654
SSDEEP

1536:8KIXt6+UbOK/X51l6A2OG3rO23VIU/YuuVSQ3cAH:htbOgb2J3a23VIU/YuK3V

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
4180	takeown.exe
5024	icacls.exe
4756	takeown.exe
4320	icacls.exe
5060	icacls.exe
4080	icacls.exe
4904	takeown.exe
4524	icacls.exe
4960	icacls.exe
5068	icacls.exe
3308	icacls.exe
4568	icacls.exe
2524	takeown.exe
3096	icacls.exe
3988	icacls.exe
4436	takeown.exe
1004	takeown.exe
4336	icacls.exe
3148	icacls.exe
3052	takeown.exe
5076	takeown.exe
1656	takeown.exe
3800	icacls.exe
3916	takeown.exe
1992	icacls.exe
2804	takeown.exe
1604	takeown.exe
5020	takeown.exe
4940	icacls.exe
992	takeown.exe
804	takeown.exe
4060	icacls.exe
4788	takeown.exe
828	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4904	takeown.exe
804	takeown.exe
828	takeown.exe
992	takeown.exe
1004	takeown.exe
3988	icacls.exe
4180	takeown.exe
3800	icacls.exe
5020	takeown.exe
3148	icacls.exe
5068	icacls.exe
5076	takeown.exe
1656	takeown.exe
4524	icacls.exe
5024	icacls.exe
4788	takeown.exe
3096	icacls.exe
3916	takeown.exe
4960	icacls.exe
4060	icacls.exe
3052	takeown.exe
3308	icacls.exe
1604	takeown.exe
4320	icacls.exe
5060	icacls.exe
4568	icacls.exe
2524	takeown.exe
2804	takeown.exe
4940	icacls.exe
4336	icacls.exe
4080	icacls.exe
4436	takeown.exe
1992	icacls.exe
4756	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

description	ioc	process
File created	C:\Windows\SysWOW64\jfjs.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
File opened for modification	C:\Windows\SysWOW64\jfjs.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4904	takeown.exe
Token: SeTakeOwnershipPrivilege	804	takeown.exe
Token: SeTakeOwnershipPrivilege	4436	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	2524	takeown.exe
Token: SeTakeOwnershipPrivilege	1604	takeown.exe
Token: SeTakeOwnershipPrivilege	5020	takeown.exe
Token: SeTakeOwnershipPrivilege	1004	takeown.exe
Token: SeTakeOwnershipPrivilege	4756	takeown.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeTakeOwnershipPrivilege	828	takeown.exe
Token: SeTakeOwnershipPrivilege	3052	takeown.exe
Token: SeTakeOwnershipPrivilege	2804	takeown.exe
Token: SeTakeOwnershipPrivilege	992	takeown.exe
Token: SeTakeOwnershipPrivilege	5076	takeown.exe
Token: SeTakeOwnershipPrivilege	1656	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

pid process

704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

pid	process
704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe

description	pid	process	target process
PID 704 wrote to memory of 4180	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4180	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4180	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4080	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4080	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4080	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4904	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4904	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4904	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 804	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 804	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 804	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 3800	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 3800	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 3800	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4436	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4436	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4436	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4960	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4960	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4960	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 3916	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 3916	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 3916	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4568	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4568	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4568	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 2524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 2524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 2524	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 5024	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 5024	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 5024	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 1604	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 1604	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 1604	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 1992	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 1992	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 1992	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 5020	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 5020	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 5020	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 3148	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 3148	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 3148	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 1004	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 1004	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 1004	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4060	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4060	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4060	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4756	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4756	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4756	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4940	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4940	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4940	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe
PID 704 wrote to memory of 4788	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4788	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 4788	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	takeown.exe
PID 704 wrote to memory of 3096	704	738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
"C:\Users\Admin\AppData\Local\Temp\738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\jfjs.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4180

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\jfjs.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4080

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3800

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4568

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4060

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4940

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3096

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4320

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5068

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4336

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3988

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3308

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\jfjs.exe
Filesize
72KB

MD5
0523877c4a35b31b83ed89f02709f550

SHA1
203e66c8236287fa259d82806ef18f217efedc02

SHA256
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec

SHA512
d2d380bca2fd249a8e50e2cba20419b78a65607325c7259671fa4bcdb68817bd3d6c9a7e0169bb72ebd02a47fdf0d37747ac3307bdcdf1a2abbe6b30419c8654

Download Submit
memory/804-139-0x0000000000000000-mapping.dmp

Download
memory/828-157-0x0000000000000000-mapping.dmp

Download
memory/992-163-0x0000000000000000-mapping.dmp

Download
memory/1004-151-0x0000000000000000-mapping.dmp

Download
memory/1604-147-0x0000000000000000-mapping.dmp

Download
memory/1656-167-0x0000000000000000-mapping.dmp

Download
memory/1992-148-0x0000000000000000-mapping.dmp

Download
memory/2524-145-0x0000000000000000-mapping.dmp

Download
memory/2804-161-0x0000000000000000-mapping.dmp

Download
memory/3052-159-0x0000000000000000-mapping.dmp

Download
memory/3096-156-0x0000000000000000-mapping.dmp

Download
memory/3148-150-0x0000000000000000-mapping.dmp

Download
memory/3308-166-0x0000000000000000-mapping.dmp

Download
memory/3800-140-0x0000000000000000-mapping.dmp

Download
memory/3916-143-0x0000000000000000-mapping.dmp

Download
memory/3988-164-0x0000000000000000-mapping.dmp

Download
memory/4060-152-0x0000000000000000-mapping.dmp

Download
memory/4080-136-0x0000000000000000-mapping.dmp

Download
memory/4180-134-0x0000000000000000-mapping.dmp

Download
memory/4320-158-0x0000000000000000-mapping.dmp

Download
memory/4336-162-0x0000000000000000-mapping.dmp

Download
memory/4436-141-0x0000000000000000-mapping.dmp

Download
memory/4524-138-0x0000000000000000-mapping.dmp

Download
memory/4568-144-0x0000000000000000-mapping.dmp

Download
memory/4756-153-0x0000000000000000-mapping.dmp

Download
memory/4788-155-0x0000000000000000-mapping.dmp

Download
memory/4904-137-0x0000000000000000-mapping.dmp

Download
memory/4940-154-0x0000000000000000-mapping.dmp

Download
memory/4960-142-0x0000000000000000-mapping.dmp

Download
memory/5020-149-0x0000000000000000-mapping.dmp

Download
memory/5024-146-0x0000000000000000-mapping.dmp

Download
memory/5060-168-0x0000000000000000-mapping.dmp

Download
memory/5068-160-0x0000000000000000-mapping.dmp

Download
memory/5076-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads