b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f

General

Target

b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
Size

76KB
MD5

00a0ee955f28a00d3e0153adad8ccbd6
SHA1

aacc4109349377d1a0ef68512dfd3d812a514fdd
SHA256

b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f
SHA512

12c996808750974b611a768b018b52bbd11eb67d1389d3e3232858c7ef70a78da2fee303963240f5045fedb9c85b0347748c362ccfa8752100cfa38351260ce9
SSDEEP

768:YIE5SMy0AvkBrsVbJYv79+Hi6XzY1nZCdRFoEGUzrbHYiI3/1jW8xfZdjo0XY+Xt:YwLJYp+dOCdRWEGsrq3N1j5XY+q5o

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
2032	icacls.exe
4160	icacls.exe
4132	takeown.exe
3424	takeown.exe
3756	icacls.exe
2268	icacls.exe
3048	icacls.exe
2964	takeown.exe
2696	icacls.exe
3444	takeown.exe
396	icacls.exe
1148	takeown.exe
4588	takeown.exe
4588	icacls.exe
2564	icacls.exe
1128	icacls.exe
2248	takeown.exe
4960	icacls.exe
536	takeown.exe
1480	takeown.exe
3648	takeown.exe
924	takeown.exe
5104	takeown.exe
3724	icacls.exe
5052	takeown.exe
2512	icacls.exe
1140	takeown.exe
1892	takeown.exe
4404	icacls.exe
2060	icacls.exe
5028	takeown.exe
3428	icacls.exe
4508	icacls.exe
4320	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
4160	icacls.exe
2696	icacls.exe
4508	icacls.exe
4320	takeown.exe
2032	icacls.exe
5028	takeown.exe
3724	icacls.exe
1480	takeown.exe
396	icacls.exe
1140	takeown.exe
4132	takeown.exe
2268	icacls.exe
1128	icacls.exe
4960	icacls.exe
2512	icacls.exe
3648	takeown.exe
924	takeown.exe
1148	takeown.exe
3048	icacls.exe
3428	icacls.exe
3424	takeown.exe
4404	icacls.exe
4588	icacls.exe
2248	takeown.exe
1892	takeown.exe
4588	takeown.exe
3756	icacls.exe
2964	takeown.exe
5104	takeown.exe
3444	takeown.exe
2060	icacls.exe
5052	takeown.exe
2564	icacls.exe
536	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
File created	C:\Windows\SysWOW64\ukwx.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
File opened for modification	C:\Windows\SysWOW64\ukwx.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	536	takeown.exe
Token: SeTakeOwnershipPrivilege	1480	takeown.exe
Token: SeTakeOwnershipPrivilege	5028	takeown.exe
Token: SeTakeOwnershipPrivilege	5052	takeown.exe
Token: SeTakeOwnershipPrivilege	3648	takeown.exe
Token: SeTakeOwnershipPrivilege	924	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	1140	takeown.exe
Token: SeTakeOwnershipPrivilege	4132	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeTakeOwnershipPrivilege	2964	takeown.exe
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	2248	takeown.exe
Token: SeTakeOwnershipPrivilege	4320	takeown.exe
Token: SeTakeOwnershipPrivilege	1892	takeown.exe
Token: SeTakeOwnershipPrivilege	4588	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

pid process

4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

pid	process
4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe

description	pid	process	target process
PID 4688 wrote to memory of 3444	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3444	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3444	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 2032	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2032	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2032	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 536	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 536	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 536	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 4588	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 4588	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 4588	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 1480	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1480	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1480	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 2060	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2060	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2060	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 5028	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5028	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5028	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3724	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 3724	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 3724	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 5052	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5052	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5052	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 2268	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2268	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2268	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 3648	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3648	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3648	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 2512	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2512	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2512	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 924	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 924	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 924	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 2564	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2564	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 2564	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 5104	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5104	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 5104	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 396	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 396	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 396	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 1140	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1140	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1140	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 4160	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 4160	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 4160	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 4132	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 4132	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 4132	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1128	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 1128	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 1128	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe
PID 4688 wrote to memory of 1148	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1148	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 1148	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	takeown.exe
PID 4688 wrote to memory of 3048	4688	b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
"C:\Users\Admin\AppData\Local\Temp\b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\ukwx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\ukwx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4588

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2060

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3724

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2268

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2512

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2564

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:396

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4160

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1128

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3048

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3428

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2696

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4508

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4404

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ukwx.exe
Filesize
76KB

MD5
00a0ee955f28a00d3e0153adad8ccbd6

SHA1
aacc4109349377d1a0ef68512dfd3d812a514fdd

SHA256
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f

SHA512
12c996808750974b611a768b018b52bbd11eb67d1389d3e3232858c7ef70a78da2fee303963240f5045fedb9c85b0347748c362ccfa8752100cfa38351260ce9

Download Submit
memory/396-150-0x0000000000000000-mapping.dmp

Download
memory/536-137-0x0000000000000000-mapping.dmp

Download
memory/924-147-0x0000000000000000-mapping.dmp

Download
memory/1128-154-0x0000000000000000-mapping.dmp

Download
memory/1140-151-0x0000000000000000-mapping.dmp

Download
memory/1148-155-0x0000000000000000-mapping.dmp

Download
memory/1480-139-0x0000000000000000-mapping.dmp

Download
memory/1892-165-0x0000000000000000-mapping.dmp

Download
memory/2032-136-0x0000000000000000-mapping.dmp

Download
memory/2060-140-0x0000000000000000-mapping.dmp

Download
memory/2248-161-0x0000000000000000-mapping.dmp

Download
memory/2268-144-0x0000000000000000-mapping.dmp

Download
memory/2512-146-0x0000000000000000-mapping.dmp

Download
memory/2564-148-0x0000000000000000-mapping.dmp

Download
memory/2696-160-0x0000000000000000-mapping.dmp

Download
memory/2964-157-0x0000000000000000-mapping.dmp

Download
memory/3048-156-0x0000000000000000-mapping.dmp

Download
memory/3424-159-0x0000000000000000-mapping.dmp

Download
memory/3428-158-0x0000000000000000-mapping.dmp

Download
memory/3444-134-0x0000000000000000-mapping.dmp

Download
memory/3648-145-0x0000000000000000-mapping.dmp

Download
memory/3724-142-0x0000000000000000-mapping.dmp

Download
memory/3756-168-0x0000000000000000-mapping.dmp

Download
memory/4132-153-0x0000000000000000-mapping.dmp

Download
memory/4160-152-0x0000000000000000-mapping.dmp

Download
memory/4320-163-0x0000000000000000-mapping.dmp

Download
memory/4404-166-0x0000000000000000-mapping.dmp

Download
memory/4508-162-0x0000000000000000-mapping.dmp

Download
memory/4588-138-0x0000000000000000-mapping.dmp

Download
memory/4588-167-0x0000000000000000-mapping.dmp

Download
memory/4960-164-0x0000000000000000-mapping.dmp

Download
memory/5028-141-0x0000000000000000-mapping.dmp

Download
memory/5052-143-0x0000000000000000-mapping.dmp

Download
memory/5104-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads