21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8

General

Target

21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
Size

64KB
MD5

0175dabeac051e7eab1ed1d6577f2381
SHA1

f9d2e6822687828288ccde9a68adad3da8ef7a87
SHA256

21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8
SHA512

9aa0a613d737833406f27a63137e6d0dd6b1cbb41f4d3290cce4f2a0bd315727624afac003cff72864677b22bec65491e475746362f577309dbafa4abcc62a91
SSDEEP

768:kHXvbNU1/AEQCd4Rida+EcL+VT/DHhwV4JmC4nySV3XBmFSTWepIpiO90XP:kfbmHLGjDHhwSJD4nPHA0NIpiEWP

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
4420	takeown.exe
1936	takeown.exe
1608	icacls.exe
2900	icacls.exe
3732	takeown.exe
564	takeown.exe
4220	icacls.exe
2880	takeown.exe
3376	icacls.exe
4136	takeown.exe
3356	icacls.exe
3152	takeown.exe
2224	takeown.exe
3596	icacls.exe
3300	takeown.exe
4400	takeown.exe
4164	icacls.exe
3532	takeown.exe
2284	icacls.exe
3784	icacls.exe
3496	takeown.exe
3180	icacls.exe
4344	takeown.exe
628	icacls.exe
5084	icacls.exe
4188	takeown.exe
3840	takeown.exe
3632	icacls.exe
4788	icacls.exe
364	icacls.exe
1456	takeown.exe
3652	takeown.exe
628	icacls.exe
4224	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
3784	icacls.exe
3152	takeown.exe
3180	icacls.exe
4788	icacls.exe
2880	takeown.exe
3376	icacls.exe
5084	icacls.exe
3840	takeown.exe
3496	takeown.exe
1456	takeown.exe
4420	takeown.exe
2224	takeown.exe
3300	takeown.exe
4224	icacls.exe
364	icacls.exe
4136	takeown.exe
3632	icacls.exe
3532	takeown.exe
4188	takeown.exe
628	icacls.exe
1608	icacls.exe
3732	takeown.exe
2284	icacls.exe
3652	takeown.exe
3596	icacls.exe
4400	takeown.exe
3356	icacls.exe
4220	icacls.exe
4344	takeown.exe
628	icacls.exe
1936	takeown.exe
2900	icacls.exe
564	takeown.exe
4164	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\qjylw.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
File created	C:\Windows\SysWOW64\qjylw.exe	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4188	takeown.exe
Token: SeTakeOwnershipPrivilege	1936	takeown.exe
Token: SeTakeOwnershipPrivilege	3840	takeown.exe
Token: SeTakeOwnershipPrivilege	4136	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	564	takeown.exe
Token: SeTakeOwnershipPrivilege	3532	takeown.exe
Token: SeTakeOwnershipPrivilege	3496	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	3152	takeown.exe
Token: SeTakeOwnershipPrivilege	3652	takeown.exe
Token: SeTakeOwnershipPrivilege	4344	takeown.exe
Token: SeTakeOwnershipPrivilege	2880	takeown.exe
Token: SeTakeOwnershipPrivilege	3300	takeown.exe
Token: SeTakeOwnershipPrivilege	3732	takeown.exe
Token: SeTakeOwnershipPrivilege	4400	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

pid process

1800 21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

pid	process
1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe

description	pid	process	target process
PID 1800 wrote to memory of 4420	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4420	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4420	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 5084	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 5084	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 5084	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 4188	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4188	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4188	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 364	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 364	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 364	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 1936	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 1936	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 1936	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 628	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 628	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 628	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3840	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3840	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3840	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 1608	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 1608	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 1608	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 4136	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4136	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4136	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3632	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3632	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3632	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 2224	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 2224	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 2224	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 2900	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 2900	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 2900	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 564	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 564	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 564	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 4164	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 4164	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 4164	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3532	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3532	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3532	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 2284	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 2284	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 2284	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3496	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3496	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3496	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3356	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3356	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3356	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 1456	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 1456	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 1456	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3784	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3784	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3784	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe
PID 1800 wrote to memory of 3152	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3152	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3152	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	takeown.exe
PID 1800 wrote to memory of 3180	1800	21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe
"C:\Users\Admin\AppData\Local\Temp\21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\qjylw.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4420

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\qjylw.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5084

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:364

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2900

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4164

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3356

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3784

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3180

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4220

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3376

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3596

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qjylw.exe
Filesize
64KB

MD5
0175dabeac051e7eab1ed1d6577f2381

SHA1
f9d2e6822687828288ccde9a68adad3da8ef7a87

SHA256
21d6758a391c13c6b47c236747722102b5e01f1c8e72362cef8aa87c154138f8

SHA512
9aa0a613d737833406f27a63137e6d0dd6b1cbb41f4d3290cce4f2a0bd315727624afac003cff72864677b22bec65491e475746362f577309dbafa4abcc62a91

Download Submit
memory/364-138-0x0000000000000000-mapping.dmp

Download
memory/564-147-0x0000000000000000-mapping.dmp

Download
memory/628-160-0x0000000000000000-mapping.dmp

Download
memory/628-140-0x0000000000000000-mapping.dmp

Download
memory/1456-153-0x0000000000000000-mapping.dmp

Download
memory/1608-142-0x0000000000000000-mapping.dmp

Download
memory/1936-139-0x0000000000000000-mapping.dmp

Download
memory/2224-145-0x0000000000000000-mapping.dmp

Download
memory/2284-150-0x0000000000000000-mapping.dmp

Download
memory/2880-161-0x0000000000000000-mapping.dmp

Download
memory/2900-146-0x0000000000000000-mapping.dmp

Download
memory/3152-155-0x0000000000000000-mapping.dmp

Download
memory/3180-156-0x0000000000000000-mapping.dmp

Download
memory/3300-163-0x0000000000000000-mapping.dmp

Download
memory/3356-152-0x0000000000000000-mapping.dmp

Download
memory/3376-162-0x0000000000000000-mapping.dmp

Download
memory/3496-151-0x0000000000000000-mapping.dmp

Download
memory/3532-149-0x0000000000000000-mapping.dmp

Download
memory/3596-166-0x0000000000000000-mapping.dmp

Download
memory/3632-144-0x0000000000000000-mapping.dmp

Download
memory/3652-157-0x0000000000000000-mapping.dmp

Download
memory/3732-165-0x0000000000000000-mapping.dmp

Download
memory/3784-154-0x0000000000000000-mapping.dmp

Download
memory/3840-141-0x0000000000000000-mapping.dmp

Download
memory/4136-143-0x0000000000000000-mapping.dmp

Download
memory/4164-148-0x0000000000000000-mapping.dmp

Download
memory/4188-137-0x0000000000000000-mapping.dmp

Download
memory/4220-158-0x0000000000000000-mapping.dmp

Download
memory/4224-164-0x0000000000000000-mapping.dmp

Download
memory/4344-159-0x0000000000000000-mapping.dmp

Download
memory/4400-167-0x0000000000000000-mapping.dmp

Download
memory/4420-134-0x0000000000000000-mapping.dmp

Download
memory/4788-168-0x0000000000000000-mapping.dmp

Download
memory/5084-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads