5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87

General

Target

5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
Size

72KB
MD5

075b73592c08fd0604e48e60cb52f366
SHA1

a5d28e0f1672d3fee73bf943bc6d20cf5c758909
SHA256

5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87
SHA512

ceeea2b98e872b9d2f8ee770cbcad5e8d52d1316ad0c5f2648c6e41452ca7b7e612716b515115d859e813b7ef513f543ce8a87d2539d54f21f5c99aa3bdcc64b
SSDEEP

768:MuBZnI6DRbxol1NsA9WhJI8/ZshSq0t2mgkBYy7Yvu8BHvNV1enxlpCXL8ZcTf4+:MuBZnIdsvsz6FYyau8BPt2l589

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
4000	takeown.exe
916	takeown.exe
3632	icacls.exe
2292	takeown.exe
4272	takeown.exe
652	icacls.exe
824	icacls.exe
3732	takeown.exe
4212	icacls.exe
2208	icacls.exe
1836	icacls.exe
1940	takeown.exe
2252	takeown.exe
1664	icacls.exe
3684	takeown.exe
212	takeown.exe
748	takeown.exe
2596	takeown.exe
3960	icacls.exe
3304	takeown.exe
1720	takeown.exe
1668	icacls.exe
4752	icacls.exe
1392	icacls.exe
4944	icacls.exe
4064	takeown.exe
752	icacls.exe
1460	icacls.exe
4692	icacls.exe
1500	icacls.exe
3852	takeown.exe
2696	icacls.exe
3420	takeown.exe
4524	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
3732	takeown.exe
652	icacls.exe
212	takeown.exe
4752	icacls.exe
2252	takeown.exe
1720	takeown.exe
1668	icacls.exe
4064	takeown.exe
2292	takeown.exe
4944	icacls.exe
1836	icacls.exe
1940	takeown.exe
1392	icacls.exe
3960	icacls.exe
2208	icacls.exe
4692	icacls.exe
916	takeown.exe
3684	takeown.exe
2696	icacls.exe
4272	takeown.exe
3420	takeown.exe
4212	icacls.exe
752	icacls.exe
1664	icacls.exe
748	takeown.exe
4000	takeown.exe
3304	takeown.exe
1460	icacls.exe
3632	icacls.exe
1500	icacls.exe
3852	takeown.exe
2596	takeown.exe
4524	takeown.exe
824	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

description	ioc	process
File created	C:\Windows\SysWOW64\mtkk.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
File opened for modification	C:\Windows\SysWOW64\mtkk.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeTakeOwnershipPrivilege	4272	takeown.exe
Token: SeTakeOwnershipPrivilege	3420	takeown.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	2596	takeown.exe
Token: SeTakeOwnershipPrivilege	4064	takeown.exe
Token: SeTakeOwnershipPrivilege	2252	takeown.exe
Token: SeTakeOwnershipPrivilege	4524	takeown.exe
Token: SeTakeOwnershipPrivilege	1940	takeown.exe
Token: SeTakeOwnershipPrivilege	3732	takeown.exe
Token: SeTakeOwnershipPrivilege	4000	takeown.exe
Token: SeTakeOwnershipPrivilege	916	takeown.exe
Token: SeTakeOwnershipPrivilege	3304	takeown.exe
Token: SeTakeOwnershipPrivilege	2292	takeown.exe
Token: SeTakeOwnershipPrivilege	3684	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

pid process

1040 5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

pid	process
1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe

description	pid	process	target process
PID 1040 wrote to memory of 3852	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 3852	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 3852	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2696	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2696	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2696	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1720	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1720	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1720	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4944	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4944	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4944	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4272	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4272	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4272	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1668	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1668	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1668	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 3420	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 3420	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 3420	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 652	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 652	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 652	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4212	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 748	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 748	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 748	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2208	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2208	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2208	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2596	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2596	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2596	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 3960	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 3960	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 3960	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4064	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4064	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4064	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 2252	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2252	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 2252	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1836	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1836	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1836	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 4524	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4524	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 4524	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 752	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe
PID 1040 wrote to memory of 1940	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1940	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 1940	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	takeown.exe
PID 1040 wrote to memory of 824	1040	5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe
"C:\Users\Admin\AppData\Local\Temp\5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\mtkk.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3852

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\mtkk.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2696

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4944

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1668

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:652

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4212

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2208

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1836

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:752

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:824

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4692

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3632

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1664

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1460

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\SysWOW64\icacls.exe
icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mtkk.exe
Filesize
72KB

MD5
075b73592c08fd0604e48e60cb52f366

SHA1
a5d28e0f1672d3fee73bf943bc6d20cf5c758909

SHA256
5d19c1d153654a8f8bc7a4898b18930ab667adcf6426b677c75872984dd66e87

SHA512
ceeea2b98e872b9d2f8ee770cbcad5e8d52d1316ad0c5f2648c6e41452ca7b7e612716b515115d859e813b7ef513f543ce8a87d2539d54f21f5c99aa3bdcc64b

Download Submit
memory/212-143-0x0000000000000000-mapping.dmp

Download
memory/652-142-0x0000000000000000-mapping.dmp

Download
memory/748-145-0x0000000000000000-mapping.dmp

Download
memory/752-154-0x0000000000000000-mapping.dmp

Download
memory/824-156-0x0000000000000000-mapping.dmp

Download
memory/916-161-0x0000000000000000-mapping.dmp

Download
memory/1392-160-0x0000000000000000-mapping.dmp

Download
memory/1460-166-0x0000000000000000-mapping.dmp

Download
memory/1500-168-0x0000000000000000-mapping.dmp

Download
memory/1664-164-0x0000000000000000-mapping.dmp

Download
memory/1668-140-0x0000000000000000-mapping.dmp

Download
memory/1720-137-0x0000000000000000-mapping.dmp

Download
memory/1836-152-0x0000000000000000-mapping.dmp

Download
memory/1940-155-0x0000000000000000-mapping.dmp

Download
memory/2208-146-0x0000000000000000-mapping.dmp

Download
memory/2252-151-0x0000000000000000-mapping.dmp

Download
memory/2292-165-0x0000000000000000-mapping.dmp

Download
memory/2596-147-0x0000000000000000-mapping.dmp

Download
memory/2696-136-0x0000000000000000-mapping.dmp

Download
memory/3304-163-0x0000000000000000-mapping.dmp

Download
memory/3420-141-0x0000000000000000-mapping.dmp

Download
memory/3632-162-0x0000000000000000-mapping.dmp

Download
memory/3684-167-0x0000000000000000-mapping.dmp

Download
memory/3732-157-0x0000000000000000-mapping.dmp

Download
memory/3852-134-0x0000000000000000-mapping.dmp

Download
memory/3960-148-0x0000000000000000-mapping.dmp

Download
memory/4000-159-0x0000000000000000-mapping.dmp

Download
memory/4064-149-0x0000000000000000-mapping.dmp

Download
memory/4212-144-0x0000000000000000-mapping.dmp

Download
memory/4272-139-0x0000000000000000-mapping.dmp

Download
memory/4524-153-0x0000000000000000-mapping.dmp

Download
memory/4692-158-0x0000000000000000-mapping.dmp

Download
memory/4752-150-0x0000000000000000-mapping.dmp

Download
memory/4944-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads