efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe
Size

36KB
MD5

0d688c12a4c3d854061590d33a0d2386
SHA1

0cde2788d8a01cf3bb1afe11606237fea50cf064
SHA256

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7
SHA512

ea48150cce2a32b9e223c8164ac316ae930318cc47d8dffe2c92c06f3ba49d8b9a9cf670a59b1f6a355944638ff753e637d58b59f76cc732737838acca1a1fe4
SSDEEP

768:/e0dD20UOGwSBv1BcAW7NaGS3Ktc3qtqR9:/e220VGF7W7NXqR9

Score

8^/10

discovery exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4916 takeown.exe
1812 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4916 takeown.exe
1812 icacls.exe

pid	process
4916	takeown.exe
1812	icacls.exe

pid	process
4916	takeown.exe
1812	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuvXC = "C:\\Windows\\system32\\wuvib.exe"	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

Drops file in System32 directory 2 IoCs

Processes:

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wuvib.exe	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe
File opened for modification	C:\Windows\SysWOW64\wuvib.exe	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

pid process

4988 efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

pid	process
4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe

description	pid	process	target process
PID 4988 wrote to memory of 4916	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	takeown.exe
PID 4988 wrote to memory of 4916	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	takeown.exe
PID 4988 wrote to memory of 4916	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	takeown.exe
PID 4988 wrote to memory of 1812	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	icacls.exe
PID 4988 wrote to memory of 1812	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	icacls.exe
PID 4988 wrote to memory of 1812	4988	efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe
"C:\Users\Admin\AppData\Local\Temp\efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\wuvib.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4916

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\wuvib.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wuvib.exe
Filesize
36KB

MD5
0d688c12a4c3d854061590d33a0d2386

SHA1
0cde2788d8a01cf3bb1afe11606237fea50cf064

SHA256
efc949dd5a1237095fca62fa50b9df10bac2b741f449c0aef0926139d70b77d7

SHA512
ea48150cce2a32b9e223c8164ac316ae930318cc47d8dffe2c92c06f3ba49d8b9a9cf670a59b1f6a355944638ff753e637d58b59f76cc732737838acca1a1fe4

Download Submit
memory/1812-135-0x0000000000000000-mapping.dmp

Download
memory/4916-134-0x0000000000000000-mapping.dmp

Download