Overview

overview

8

Static

static

efc949dd5a...d7.exe

windows7-x64

8

efc949dd5a...d7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

  • Size

    36KB

  • MD5

    0d688c12a4c3d854061590d33a0d2386

  • SHA1

    0cde2788d8a01cf3bb1afe11606237fea50cf064

  • SHA256

    efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7

  • SHA512

    ea48150cce2a32b9e223c8164ac316ae930318cc47d8dffe2c92c06f3ba49d8b9a9cf670a59b1f6a355944638ff753e637d58b59f76cc732737838acca1a1fe4

  • SSDEEP

    768:/e0dD20UOGwSBv1BcAW7NaGS3Ktc3qtqR9:/e220VGF7W7NXqR9

Score
8/10
discoveryexploitpersistence

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe
    "C:\Users\Admin\AppData\Local\Temp\efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\system32\wuvib.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4916
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\system32\wuvib.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\wuvib.exe
    Filesize

    36KB

    MD5

    0d688c12a4c3d854061590d33a0d2386

    SHA1

    0cde2788d8a01cf3bb1afe11606237fea50cf064

    SHA256

    efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7

    SHA512

    ea48150cce2a32b9e223c8164ac316ae930318cc47d8dffe2c92c06f3ba49d8b9a9cf670a59b1f6a355944638ff753e637d58b59f76cc732737838acca1a1fe4

    Download Submit

  • memory/1812-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4916-134-0x0000000000000000-mapping.dmp

    Download