cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804

General

Target

cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
Size

68KB
MD5

01d2a08c2976f6f7f3a6579d1d64aa26
SHA1

0f4fae2be30446e39ce0e14a5763dd7c41ff4b0f
SHA256

cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804
SHA512

33d92ef8bd3a210ab47fe2fee961456779ce32aca0777c7a165fa1dbc669e8e7352ad6f4890a0193dc95ff59f9417c9ab54e160ff7872c622410300a03be5804
SSDEEP

768:HTTv3ANWbKrlPoQTR2I7Zsn3aRuDDHm0PwwljxXoyoi4/BSx1vjobw8Q8MEe:HHnmzL23SuTnljmyoiy1Q8Je

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
1192	takeown.exe
1052	icacls.exe
5044	icacls.exe
4416	takeown.exe
4916	icacls.exe
2076	takeown.exe
4044	icacls.exe
2852	takeown.exe
1776	icacls.exe
2688	icacls.exe
228	icacls.exe
4404	takeown.exe
4376	takeown.exe
2812	icacls.exe
3652	takeown.exe
1708	takeown.exe
3376	icacls.exe
1148	icacls.exe
2864	takeown.exe
4436	takeown.exe
2300	icacls.exe
3952	icacls.exe
4372	takeown.exe
2848	takeown.exe
3460	icacls.exe
1208	icacls.exe
1992	icacls.exe
2844	takeown.exe
1560	takeown.exe
4844	icacls.exe
4380	icacls.exe
2560	takeown.exe
3728	takeown.exe
1312	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
4416	takeown.exe
1992	icacls.exe
1148	icacls.exe
1192	takeown.exe
1708	takeown.exe
4404	takeown.exe
4376	takeown.exe
4044	icacls.exe
3376	icacls.exe
4372	takeown.exe
4380	icacls.exe
228	icacls.exe
4916	icacls.exe
2076	takeown.exe
3652	takeown.exe
1052	icacls.exe
1776	icacls.exe
4436	takeown.exe
5044	icacls.exe
2844	takeown.exe
3952	icacls.exe
2560	takeown.exe
3728	takeown.exe
2848	takeown.exe
2852	takeown.exe
2812	icacls.exe
2864	takeown.exe
2688	icacls.exe
1208	icacls.exe
3460	icacls.exe
1312	takeown.exe
2300	icacls.exe
1560	takeown.exe
4844	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

description	ioc	process
File created	C:\Windows\SysWOW64\akxk.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
File opened for modification	C:\Windows\SysWOW64\akxk.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	4416	takeown.exe
Token: SeTakeOwnershipPrivilege	3728	takeown.exe
Token: SeTakeOwnershipPrivilege	4404	takeown.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	2076	takeown.exe
Token: SeTakeOwnershipPrivilege	3652	takeown.exe
Token: SeTakeOwnershipPrivilege	4376	takeown.exe
Token: SeTakeOwnershipPrivilege	1312	takeown.exe
Token: SeTakeOwnershipPrivilege	2852	takeown.exe
Token: SeTakeOwnershipPrivilege	2844	takeown.exe
Token: SeTakeOwnershipPrivilege	4372	takeown.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	4436	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

pid process

4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

pid	process
4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe

description	pid	process	target process
PID 4272 wrote to memory of 1192	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1192	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1192	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2688	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2688	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2688	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2560	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2560	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2560	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1052	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1052	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1052	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1708	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1708	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1708	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 5044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 5044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 5044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4416	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4416	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4416	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1208	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1208	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1208	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 3728	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3728	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3728	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 228	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 228	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 228	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4404	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4404	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4404	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4916	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4916	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4916	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2848	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2848	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2848	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2812	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2812	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2812	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 2076	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2076	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 2076	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3460	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 3460	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 3460	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 3652	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3652	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3652	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1992	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1992	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1992	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4376	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4376	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4376	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 4044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 4044	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe
PID 4272 wrote to memory of 1312	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1312	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 1312	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	takeown.exe
PID 4272 wrote to memory of 3376	4272	cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
"C:\Users\Admin\AppData\Local\Temp\cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\akxk.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\akxk.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1052

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:228

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4916

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2812

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3460

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4044

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3376

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2300

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3952

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1148

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4844

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\akxk.exe
Filesize
68KB

MD5
01d2a08c2976f6f7f3a6579d1d64aa26

SHA1
0f4fae2be30446e39ce0e14a5763dd7c41ff4b0f

SHA256
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804

SHA512
33d92ef8bd3a210ab47fe2fee961456779ce32aca0777c7a165fa1dbc669e8e7352ad6f4890a0193dc95ff59f9417c9ab54e160ff7872c622410300a03be5804

Download Submit
memory/228-144-0x0000000000000000-mapping.dmp

Download
memory/1052-138-0x0000000000000000-mapping.dmp

Download
memory/1148-162-0x0000000000000000-mapping.dmp

Download
memory/1192-134-0x0000000000000000-mapping.dmp

Download
memory/1208-142-0x0000000000000000-mapping.dmp

Download
memory/1312-155-0x0000000000000000-mapping.dmp

Download
memory/1560-163-0x0000000000000000-mapping.dmp

Download
memory/1708-139-0x0000000000000000-mapping.dmp

Download
memory/1776-166-0x0000000000000000-mapping.dmp

Download
memory/1992-152-0x0000000000000000-mapping.dmp

Download
memory/2076-149-0x0000000000000000-mapping.dmp

Download
memory/2300-158-0x0000000000000000-mapping.dmp

Download
memory/2560-137-0x0000000000000000-mapping.dmp

Download
memory/2688-136-0x0000000000000000-mapping.dmp

Download
memory/2812-148-0x0000000000000000-mapping.dmp

Download
memory/2844-159-0x0000000000000000-mapping.dmp

Download
memory/2848-147-0x0000000000000000-mapping.dmp

Download
memory/2852-157-0x0000000000000000-mapping.dmp

Download
memory/2864-165-0x0000000000000000-mapping.dmp

Download
memory/3376-156-0x0000000000000000-mapping.dmp

Download
memory/3460-150-0x0000000000000000-mapping.dmp

Download
memory/3652-151-0x0000000000000000-mapping.dmp

Download
memory/3728-143-0x0000000000000000-mapping.dmp

Download
memory/3952-160-0x0000000000000000-mapping.dmp

Download
memory/4044-154-0x0000000000000000-mapping.dmp

Download
memory/4372-161-0x0000000000000000-mapping.dmp

Download
memory/4376-153-0x0000000000000000-mapping.dmp

Download
memory/4380-168-0x0000000000000000-mapping.dmp

Download
memory/4404-145-0x0000000000000000-mapping.dmp

Download
memory/4416-141-0x0000000000000000-mapping.dmp

Download
memory/4436-167-0x0000000000000000-mapping.dmp

Download
memory/4844-164-0x0000000000000000-mapping.dmp

Download
memory/4916-146-0x0000000000000000-mapping.dmp

Download
memory/5044-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads