617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282

Analysis

max time kernel
25s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
Size

579KB
MD5

df26e9dc7a802b597170923e52b19d5c
SHA1

80ce216b4ea7841382455b88cee389713f3f70d7
SHA256

617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282
SHA512

24ab5ad4a5b73aeea85a20bfac5ce1f7f2eb006f6355dffbbe5344707a431ab5cbdde363af8ca4637073a712c8ea4513dd28c218ce89d62b8b1a3f3bc4589367
SSDEEP

12288:tJeYWA9zeFeCl3Nl6lDjhg9qRsGB6suBldfBhT:t4RAB2l3CFjmoRXB6suBDLT

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2436	IaOvsBv.exe
1972	IaOvsBv.exe
2856	IaOvsBv.exe
2736	IaOvsBv.exe
2808	IaOvsBv.exe
2700	IaOvsBv.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
2436	IaOvsBv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2700-36-0x0000000000280000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/2700-35-0x0000000000280000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/2700-41-0x00000000005E0000-0x00000000005EB000-memory.dmp	upx
behavioral1/memory/2700-38-0x00000000005E0000-0x00000000005EB000-memory.dmp	upx
behavioral1/memory/2700-74-0x0000000000280000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/2700-76-0x00000000005E0000-0x00000000005EB000-memory.dmp	upx

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 set thread context of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 set thread context of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 set thread context of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 2436 set thread context of 1972	2436	IaOvsBv.exe	17
PID 2436 set thread context of 1972	2436	IaOvsBv.exe	17
PID 2436 set thread context of 1972	2436	IaOvsBv.exe	17
PID 2436 set thread context of 1972	2436	IaOvsBv.exe	17
PID 2856 set thread context of 2736	2856	IaOvsBv.exe	32
PID 2856 set thread context of 2736	2856	IaOvsBv.exe	32
PID 2856 set thread context of 2736	2856	IaOvsBv.exe	32
PID 2856 set thread context of 2736	2856	IaOvsBv.exe	32
PID 2808 set thread context of 2700	2808	IaOvsBv.exe	36
PID 2808 set thread context of 2700	2808	IaOvsBv.exe	36
PID 2808 set thread context of 2700	2808	IaOvsBv.exe	36
PID 2808 set thread context of 2700	2808	IaOvsBv.exe	36

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IaOvsBv.exe	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
File opened for modification	C:\Program Files (x86)\IaOvsBv.exe	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
1972	IaOvsBv.exe
2736	IaOvsBv.exe
2700	IaOvsBv.exe
2700	IaOvsBv.exe
2700	IaOvsBv.exe
2700	IaOvsBv.exe
2700	IaOvsBv.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	IaOvsBv.exe
Token: SeDebugPrivilege	2700	IaOvsBv.exe
Token: SeDebugPrivilege	2700	IaOvsBv.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
1972	IaOvsBv.exe
1972	IaOvsBv.exe
2736	IaOvsBv.exe
2736	IaOvsBv.exe
2700	IaOvsBv.exe
2700	IaOvsBv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 wrote to memory of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 wrote to memory of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 1720 wrote to memory of 2504	1720	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	14
PID 2504 wrote to memory of 2436	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	18
PID 2504 wrote to memory of 2436	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	18
PID 2504 wrote to memory of 2436	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	18
PID 2504 wrote to memory of 2436	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	18
PID 2436 wrote to memory of 1972	2436	IaOvsBv.exe	17
PID 2436 wrote to memory of 1972	2436	IaOvsBv.exe	17
PID 2436 wrote to memory of 1972	2436	IaOvsBv.exe	17
PID 2436 wrote to memory of 1972	2436	IaOvsBv.exe	17
PID 2856 wrote to memory of 2736	2856	IaOvsBv.exe	32
PID 2856 wrote to memory of 2736	2856	IaOvsBv.exe	32
PID 2856 wrote to memory of 2736	2856	IaOvsBv.exe	32
PID 2856 wrote to memory of 2736	2856	IaOvsBv.exe	32
PID 2736 wrote to memory of 2808	2736	IaOvsBv.exe	37
PID 2736 wrote to memory of 2808	2736	IaOvsBv.exe	37
PID 2736 wrote to memory of 2808	2736	IaOvsBv.exe	37
PID 2736 wrote to memory of 2808	2736	IaOvsBv.exe	37
PID 2808 wrote to memory of 2700	2808	IaOvsBv.exe	36
PID 2808 wrote to memory of 2700	2808	IaOvsBv.exe	36
PID 2808 wrote to memory of 2700	2808	IaOvsBv.exe	36
PID 2808 wrote to memory of 2700	2808	IaOvsBv.exe	36
PID 2504 wrote to memory of 2932	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	35
PID 2504 wrote to memory of 2932	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	35
PID 2504 wrote to memory of 2932	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	35
PID 2504 wrote to memory of 2932	2504	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	35
PID 2932 wrote to memory of 2776	2932	cmd.exe	34
PID 2932 wrote to memory of 2776	2932	cmd.exe	34
PID 2932 wrote to memory of 2776	2932	cmd.exe	34
PID 2932 wrote to memory of 2776	2932	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
"C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files (x86)\IaOvsBv.exe
  -auto
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2932

C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
"C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\IaOvsBv.exe
-auto
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Program Files (x86)\IaOvsBv.exe
"C:\Program Files (x86)\IaOvsBv.exe" Service 1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\IaOvsBv.exe
  "C:\Program Files (x86)\IaOvsBv.exe" Service 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\IaOvsBv.exe
    -a1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2808

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- Runs ping.exe
PID:2776

C:\Program Files (x86)\IaOvsBv.exe
-a1
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IaOvsBv.exe

Filesize
114KB

MD5
9cc8f00450b8867835381fb25a2019c6

SHA1
37456d8f356104e7a9b58bc7e348b07b05c9bfd8

SHA256
173f63be03f4f9cf3ef082a05aa4605e3508f1af1de3dd81e7baca059492e7a3

SHA512
589ac0f56e92cf207d864de6ec6b65239f372085437124273743ad4718d80a62e81b71de4bacd9a55d451839b617eb8b3c36586baa7600719fb02ee630a1001f

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
119KB

MD5
aec0b7a663415d5108ae7937de43cdcf

SHA1
02ed347f69a0364b7d1e393af3d36d92e193e3db

SHA256
1853d4b8fed588e104be52c5de7d9696453a44d1af8d1568eb3164d8eea1bf25

SHA512
4d6115e6f9e367b1b911ebfcf0852eada6bb1d26c07ca093d153e3adbc25d60c8b09ae6694a112042540d487e7f9376e4757f2ebc7b3702f4a3c865ada096c54

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
195KB

MD5
81e73d96d8b70751b11fdf82e165a0d4

SHA1
c40d67bd63db673d6e42bba15ea4e317f32883e5

SHA256
916ab3470f2a4401cb556253bcc8b37909560db06d493e23f83ce6d8b3a58ef5

SHA512
937051dc3a20efc25403b1dcca6dac3c678d1bc09d40449291a64cd5bb4187f59937534821f6687f727c737175af5912161b8f09706aad8cb69165a9f1e1a684

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
152KB

MD5
c517c8feadcae487d594359a78208c9d

SHA1
4bf39627865c2760e4cd22423a3069692555f697

SHA256
10ab921fe3c50291680986b29c3d2d22baae0dc8f9ae177d0ce302fbdafc0d4a

SHA512
55bc7596bf4677a85281189a9b2b694718de2cb018f576064bf77a02b197cc28693a113147352f0edb2543af9f7aed6fe8fde0fa14718da223ae60adec792327

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
41KB

MD5
e1b51bb48ca28f92ba9d5361509c2f22

SHA1
4500d176b12027de9a90d665b2689406049bf3e9

SHA256
5de7d93a1823167802c40e11d6dff046ab2a27fbf20b69f2809183edfd006ea8

SHA512
0e9ed6f33edeb06f93356957ceed9f20e45693e60070519f80747e45e455c0bbffeb312e7de5e26fe1799f7cf46adb663ee51e7dabc8a93a65bc30eb76e05691

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
124KB

MD5
6a2bd44ff2f463354b85007736fdc005

SHA1
31db2d851dee6505daca271042f5d20cc3512496

SHA256
35597f6ce094e336890e556670a8f80cdfd5ef444e55d0aea4a1f28f858f7e66

SHA512
c36c9cda27e1ff5dfcb5024b2d9adea5b07bb7a9b5d13fbe28f4e19237c62957b28c69b081dda018dd3183067c516b991e9913d162e0901c8dece7b0ca3401cd

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
9KB

MD5
e150ebed9668aedc02321e716a180b62

SHA1
8c94b74c5e9978c1426b08c5be72ac27101d3e34

SHA256
08d60497a4ad3dfb5091308f39a28c5815aa6959acffdfebd42390048a2314c5

SHA512
dc189df0ded92372ef0536bf4e4b2e743ad4efadfce0aff7dba80a526cd5e767619bbcada577e1866c0358d3ec45611fce22f40e37b379fa2fa4e9e7db23f1e9

Download Submit
\Program Files (x86)\IaOvsBv.exe

Filesize
136KB

MD5
362047ec3f3af99e04bebb0ef56e6f75

SHA1
21a2ec70a67fd2f31aad9c41b6542a673741decc

SHA256
309c291a784d50a0258a141accf8a34b466925560370b1bd1b119946ea8b95b7

SHA512
bbd73a19144b7b38aa01a9972e5e20388588eb2983f7bee0e0d1f4167983c38338942380d45b596fe38cfcf5c7e0d81b09c3c00832bb37ef05df3f6aceb42168

Download Submit
\Program Files (x86)\IaOvsBv.exe

Filesize
116KB

MD5
2905ad0bcb47fa0d1f7e1948334c18dc

SHA1
b2121f767fd4fa8be0de65f5590edadeb9265167

SHA256
e9cabf8e69655f476e1e7652fb77e7d857734abf6aaa3dc130cc77f3d8f4caf3

SHA512
4e4d7772f3f67f403b4380e9840b145d639fe27580cbb3fd71b18b6c89f119375db1aa9c9a8e57e0b2d23124d20f618325fb4b5cc0a9a52c8a29fc028f3e0f9a

Download Submit
memory/1720-32-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1720-0-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1720-20-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1720-1-0x0000000000510000-0x0000000000614000-memory.dmp

Filesize
1.0MB

Download
memory/1972-15-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/1972-14-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1972-30-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2436-16-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2436-29-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2504-3-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2504-33-0x00000000020F0000-0x00000000021F4000-memory.dmp

Filesize
1.0MB

Download
memory/2504-28-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2504-9-0x00000000020F0000-0x00000000021F4000-memory.dmp

Filesize
1.0MB

Download
memory/2504-2-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2504-4-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2504-34-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2700-38-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/2700-31-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2700-76-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/2700-36-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/2700-35-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/2700-74-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/2700-69-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2700-40-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2700-39-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2700-37-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2700-44-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2700-46-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2700-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2700-41-0x00000000005E0000-0x00000000005EB000-memory.dmp

Filesize
44KB

Download
memory/2736-22-0x0000000000370000-0x0000000000374000-memory.dmp

Filesize
16KB

Download
memory/2736-21-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2736-27-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2808-68-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2808-25-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2856-24-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2856-18-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download