85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949

General

Target

85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
Size

72KB
MD5

0a1c64ecc5c12254166f91595b2f5b16
SHA1

2a84ef3e82e8fa944e5fead008066bb3410bbf80
SHA256

85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949
SHA512

3a723bd5124908b7d90da047e2b24d6c6e201effadf10d7ac9d2de97cefb23856d087871557fa04c1ef9a13ede94d4ac754531e3f35052ec8f91f2e0c9897210
SSDEEP

768:9VzwycZGO/kpKy8SRc9sw2/nyK+nJElfev1vuLvW3z1y60Rcl64k10YwNzhpQbXg:93hwLnJEUmL6V4cl6P1xUpy2x1

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
1252	icacls.exe
4148	takeown.exe
2288	takeown.exe
4568	takeown.exe
4412	icacls.exe
3740	icacls.exe
2684	takeown.exe
808	takeown.exe
3776	takeown.exe
1716	takeown.exe
5104	icacls.exe
4956	takeown.exe
4780	icacls.exe
1984	takeown.exe
4448	icacls.exe
4244	takeown.exe
4080	icacls.exe
4272	takeown.exe
876	icacls.exe
452	takeown.exe
1220	icacls.exe
3628	takeown.exe
3944	icacls.exe
4168	takeown.exe
1260	icacls.exe
2132	icacls.exe
728	takeown.exe
4140	icacls.exe
4400	icacls.exe
4996	icacls.exe
3972	icacls.exe
5024	icacls.exe
4984	takeown.exe
4680	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4680	takeown.exe
1252	icacls.exe
4956	takeown.exe
4272	takeown.exe
4568	takeown.exe
1716	takeown.exe
2288	takeown.exe
4140	icacls.exe
4080	icacls.exe
1984	takeown.exe
4448	icacls.exe
452	takeown.exe
3972	icacls.exe
5024	icacls.exe
3776	takeown.exe
5104	icacls.exe
1220	icacls.exe
3740	icacls.exe
1260	icacls.exe
876	icacls.exe
808	takeown.exe
728	takeown.exe
2684	takeown.exe
4996	icacls.exe
4984	takeown.exe
4148	takeown.exe
4400	icacls.exe
4412	icacls.exe
4168	takeown.exe
2132	icacls.exe
3944	icacls.exe
4244	takeown.exe
4780	icacls.exe
3628	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\yhrlr.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
File created	C:\Windows\SysWOW64\yhrlr.exe	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4568	takeown.exe
Token: SeTakeOwnershipPrivilege	452	takeown.exe
Token: SeTakeOwnershipPrivilege	808	takeown.exe
Token: SeTakeOwnershipPrivilege	4168	takeown.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe
Token: SeTakeOwnershipPrivilege	4680	takeown.exe
Token: SeTakeOwnershipPrivilege	3776	takeown.exe
Token: SeTakeOwnershipPrivilege	728	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	4148	takeown.exe
Token: SeTakeOwnershipPrivilege	2288	takeown.exe
Token: SeTakeOwnershipPrivilege	4244	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	4956	takeown.exe
Token: SeTakeOwnershipPrivilege	4272	takeown.exe
Token: SeTakeOwnershipPrivilege	3628	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

pid process

1044 85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

pid	process
1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe

description	pid	process	target process
PID 1044 wrote to memory of 1984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 876	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 876	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 876	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4568	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4568	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4568	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4448	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4448	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4448	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 452	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 452	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 452	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4412	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4412	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4412	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 808	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 808	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 808	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 3944	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 3944	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 3944	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4168	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4168	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4168	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4996	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4996	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4996	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4984	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 3972	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 3972	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 3972	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4680	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4680	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4680	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 2132	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 2132	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 2132	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 3776	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 3776	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 3776	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 5024	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 5024	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 5024	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 728	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 728	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 728	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1252	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 1252	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 1252	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 1716	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1716	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1716	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 5104	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 5104	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 5104	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe
PID 1044 wrote to memory of 4148	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4148	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 4148	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	takeown.exe
PID 1044 wrote to memory of 1220	1044	85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe
"C:\Users\Admin\AppData\Local\Temp\85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\yhrlr.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\yhrlr.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:876

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4448

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4412

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4996

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3972

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1252

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5104

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3740

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1260

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4140

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4080

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4780

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\yhrlr.exe
Filesize
72KB

MD5
0a1c64ecc5c12254166f91595b2f5b16

SHA1
2a84ef3e82e8fa944e5fead008066bb3410bbf80

SHA256
85886fccf3dd88ad9f2ea9511428b78e30319a62d6a7d07b5542b4f9c3358949

SHA512
3a723bd5124908b7d90da047e2b24d6c6e201effadf10d7ac9d2de97cefb23856d087871557fa04c1ef9a13ede94d4ac754531e3f35052ec8f91f2e0c9897210

Download Submit
memory/452-139-0x0000000000000000-mapping.dmp

Download
memory/728-151-0x0000000000000000-mapping.dmp

Download
memory/808-141-0x0000000000000000-mapping.dmp

Download
memory/876-136-0x0000000000000000-mapping.dmp

Download
memory/1220-156-0x0000000000000000-mapping.dmp

Download
memory/1252-152-0x0000000000000000-mapping.dmp

Download
memory/1260-160-0x0000000000000000-mapping.dmp

Download
memory/1716-153-0x0000000000000000-mapping.dmp

Download
memory/1984-134-0x0000000000000000-mapping.dmp

Download
memory/2132-148-0x0000000000000000-mapping.dmp

Download
memory/2288-157-0x0000000000000000-mapping.dmp

Download
memory/2684-161-0x0000000000000000-mapping.dmp

Download
memory/3628-167-0x0000000000000000-mapping.dmp

Download
memory/3740-158-0x0000000000000000-mapping.dmp

Download
memory/3776-149-0x0000000000000000-mapping.dmp

Download
memory/3944-142-0x0000000000000000-mapping.dmp

Download
memory/3972-146-0x0000000000000000-mapping.dmp

Download
memory/4080-164-0x0000000000000000-mapping.dmp

Download
memory/4140-162-0x0000000000000000-mapping.dmp

Download
memory/4148-155-0x0000000000000000-mapping.dmp

Download
memory/4168-143-0x0000000000000000-mapping.dmp

Download
memory/4244-159-0x0000000000000000-mapping.dmp

Download
memory/4272-165-0x0000000000000000-mapping.dmp

Download
memory/4400-168-0x0000000000000000-mapping.dmp

Download
memory/4412-140-0x0000000000000000-mapping.dmp

Download
memory/4448-138-0x0000000000000000-mapping.dmp

Download
memory/4568-137-0x0000000000000000-mapping.dmp

Download
memory/4680-147-0x0000000000000000-mapping.dmp

Download
memory/4780-166-0x0000000000000000-mapping.dmp

Download
memory/4956-163-0x0000000000000000-mapping.dmp

Download
memory/4984-145-0x0000000000000000-mapping.dmp

Download
memory/4996-144-0x0000000000000000-mapping.dmp

Download
memory/5024-150-0x0000000000000000-mapping.dmp

Download
memory/5104-154-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads