Analysis
-
max time kernel
120s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
Resource
win10v2004-20220812-en
General
-
Target
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe
-
Size
48KB
-
MD5
00170a3b55eb74baea75ccecc1b26281
-
SHA1
a1283b97699a17a691637da24d6ea6ab32090fb4
-
SHA256
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6
-
SHA512
d5db0a076cf4de70eaf7407c87e0e66c053acd5091358ad03ee2e51b0473af801c2d561f70e14b1e7d900b44d1e2d46094c2f2b552e5eec68a4950f070ca8742
-
SSDEEP
768:/wlvcHH7nua2oRSCAVnyTSTPdGAz73DfFc1EXsc:YlvcnzSymT1c1msc
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 792 takeown.exe 3640 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 3640 icacls.exe 792 takeown.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\okFd = "c:\\windows\\system32\\eoov.exe" f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Drops file in System32 directory 2 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription ioc process File created \??\c:\windows\SysWOW64\eoov.exe f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe File opened for modification \??\c:\windows\SysWOW64\eoov.exe f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exepid process 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exedescription pid process target process PID 2432 wrote to memory of 792 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 2432 wrote to memory of 792 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 2432 wrote to memory of 792 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe takeown.exe PID 2432 wrote to memory of 3640 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe PID 2432 wrote to memory of 3640 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe PID 2432 wrote to memory of 3640 2432 f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe"C:\Users\Admin\AppData\Local\Temp\f6b922e0b192cc27c25caa753fb58b03f243b7008e198bd5ec67fb98b3d757a6.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\eoov.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3640 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\eoov.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\eoov.exeFilesize
30KB
MD5b4acfb7670beb949226acab0dbe29273
SHA1a6710f86fee214eb9df64ae9c61766a4c09838c2
SHA256604b514a3fe823a83ed3823b79ee28fe2389766b271ab12d3eb13dfa3bf0ebf0
SHA512200f8501aeb546df98eaa317b69c43c13c76fc08d1316a99128d8b2614771530192a8ce66a21cb976a24eb6affd05628f21e8adbf88aa322331b4d9aee2980ad
-
memory/792-134-0x0000000000000000-mapping.dmp
-
memory/3640-135-0x0000000000000000-mapping.dmp