Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
Resource
win10v2004-20220812-en
General
-
Target
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
-
Size
48KB
-
MD5
00170a3b55eb74baea75ccecc1b26281
-
SHA1
a1283b97699a17a691637da24d6ea6ab32090fb4
-
SHA256
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6
-
SHA512
d5db0a076cf4de70eaf7407c87e0e66c053acd5091358ad03ee2e51b0473af801c2d561f70e14b1e7d900b44d1e2d46094c2f2b552e5eec68a4950f070ca8742
-
SSDEEP
768:/wlvcHH7nua2oRSCAVnyTSTPdGAz73DfFc1EXsc:YlvcnzSymT1c1msc
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1188 takeown.exe 1252 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1188 takeown.exe 1252 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\okFd = "c:\\windows\\system32\\eoov.exe" f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Drops file in System32 directory 2 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription ioc process File created \??\c:\windows\SysWOW64\eoov.exe f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe File opened for modification \??\c:\windows\SysWOW64\eoov.exe f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exepid process 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription pid process target process PID 620 wrote to memory of 1188 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 620 wrote to memory of 1188 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 620 wrote to memory of 1188 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 620 wrote to memory of 1188 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 620 wrote to memory of 1252 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe PID 620 wrote to memory of 1252 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe PID 620 wrote to memory of 1252 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe PID 620 wrote to memory of 1252 620 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe"C:\Users\Admin\AppData\Local\Temp\f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\eoov.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\eoov.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\eoov.exeFilesize
48KB
MD500170a3b55eb74baea75ccecc1b26281
SHA1a1283b97699a17a691637da24d6ea6ab32090fb4
SHA256f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6
SHA512d5db0a076cf4de70eaf7407c87e0e66c053acd5091358ad03ee2e51b0473af801c2d561f70e14b1e7d900b44d1e2d46094c2f2b552e5eec68a4950f070ca8742
-
memory/1188-56-0x0000000000000000-mapping.dmp
-
memory/1252-57-0x0000000000000000-mapping.dmp