617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282

General

Target

617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
Size

579KB
MD5

df26e9dc7a802b597170923e52b19d5c
SHA1

80ce216b4ea7841382455b88cee389713f3f70d7
SHA256

617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282
SHA512

24ab5ad4a5b73aeea85a20bfac5ce1f7f2eb006f6355dffbbe5344707a431ab5cbdde363af8ca4637073a712c8ea4513dd28c218ce89d62b8b1a3f3bc4589367
SSDEEP

12288:tJeYWA9zeFeCl3Nl6lDjhg9qRsGB6suBldfBhT:t4RAB2l3CFjmoRXB6suBDLT

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe

Executes dropped EXE 6 IoCs

pid	Process
2372	IaOvsBv.exe
3760	IaOvsBv.exe
1616	IaOvsBv.exe
3892	IaOvsBv.exe
3092	IaOvsBv.exe
4960	IaOvsBv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4960-32-0x00000000007D0000-0x00000000007DB000-memory.dmp	upx
behavioral2/memory/4960-33-0x00000000007D0000-0x00000000007DB000-memory.dmp	upx
behavioral2/memory/4960-42-0x00000000040F0000-0x00000000040FB000-memory.dmp	upx
behavioral2/memory/4960-36-0x00000000040F0000-0x00000000040FB000-memory.dmp	upx
behavioral2/memory/4960-69-0x00000000007D0000-0x00000000007DB000-memory.dmp	upx
behavioral2/memory/4960-73-0x00000000040F0000-0x00000000040FB000-memory.dmp	upx

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 748 set thread context of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 748 set thread context of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 2372 set thread context of 3760	2372	IaOvsBv.exe	93
PID 2372 set thread context of 3760	2372	IaOvsBv.exe	93
PID 2372 set thread context of 3760	2372	IaOvsBv.exe	93
PID 1616 set thread context of 3892	1616	IaOvsBv.exe	95
PID 1616 set thread context of 3892	1616	IaOvsBv.exe	95
PID 1616 set thread context of 3892	1616	IaOvsBv.exe	95
PID 3092 set thread context of 4960	3092	IaOvsBv.exe	96
PID 3092 set thread context of 4960	3092	IaOvsBv.exe	96
PID 3092 set thread context of 4960	3092	IaOvsBv.exe	96

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IaOvsBv.exe	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
File opened for modification	C:\Program Files (x86)\IaOvsBv.exe	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4900	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
3760	IaOvsBv.exe
3760	IaOvsBv.exe
3892	IaOvsBv.exe
3892	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4960	IaOvsBv.exe
Token: SeDebugPrivilege	4960	IaOvsBv.exe
Token: SeDebugPrivilege	4960	IaOvsBv.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
3760	IaOvsBv.exe
3760	IaOvsBv.exe
3892	IaOvsBv.exe
3892	IaOvsBv.exe
4960	IaOvsBv.exe
4960	IaOvsBv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 748 wrote to memory of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 748 wrote to memory of 4964	748	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	90
PID 4964 wrote to memory of 2372	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	92
PID 4964 wrote to memory of 2372	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	92
PID 4964 wrote to memory of 2372	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	92
PID 2372 wrote to memory of 3760	2372	IaOvsBv.exe	93
PID 2372 wrote to memory of 3760	2372	IaOvsBv.exe	93
PID 2372 wrote to memory of 3760	2372	IaOvsBv.exe	93
PID 1616 wrote to memory of 3892	1616	IaOvsBv.exe	95
PID 1616 wrote to memory of 3892	1616	IaOvsBv.exe	95
PID 1616 wrote to memory of 3892	1616	IaOvsBv.exe	95
PID 3892 wrote to memory of 3092	3892	IaOvsBv.exe	97
PID 3892 wrote to memory of 3092	3892	IaOvsBv.exe	97
PID 3892 wrote to memory of 3092	3892	IaOvsBv.exe	97
PID 3092 wrote to memory of 4960	3092	IaOvsBv.exe	96
PID 3092 wrote to memory of 4960	3092	IaOvsBv.exe	96
PID 3092 wrote to memory of 4960	3092	IaOvsBv.exe	96
PID 4964 wrote to memory of 3200	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	98
PID 4964 wrote to memory of 3200	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	98
PID 4964 wrote to memory of 3200	4964	617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe	98
PID 3200 wrote to memory of 4900	3200	cmd.exe	100
PID 3200 wrote to memory of 4900	3200	cmd.exe	100
PID 3200 wrote to memory of 4900	3200	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
"C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe
  "C:\Users\Admin\AppData\Local\Temp\617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Program Files (x86)\IaOvsBv.exe
    -auto
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\IaOvsBv.exe
      -auto
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4900

C:\Program Files (x86)\IaOvsBv.exe
"C:\Program Files (x86)\IaOvsBv.exe" Service 1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\IaOvsBv.exe
  "C:\Program Files (x86)\IaOvsBv.exe" Service 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Program Files (x86)\IaOvsBv.exe
    -a1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3092

C:\Program Files (x86)\IaOvsBv.exe
-a1
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IaOvsBv.exe

Filesize
563KB

MD5
e12be463635534061985ed1b1d3cadc6

SHA1
d7803999e30b720796cd8df552bf013933ad6bbf

SHA256
177ea2a74859015f11ff8da2722a722ff32e5a9ff42d184cad8c2cca97fec6f1

SHA512
0b18b4ec0ec83aa419303678d7a7e57fc42038c5694ab5941b24b8b02855ff38e2317eaa9c8a5fc813309bc6fe09f452d5ce73f5b4cbf71ef45557c3f14dcbb1

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
574KB

MD5
a1d24fbd272e15570e2b4749937b2292

SHA1
b1c7f5d80f6ff5b0c6ff625261a658e8f644e842

SHA256
1065fe578ca2501123c1de9f62b311909abdb36c57ae375b72a49fd0390be80f

SHA512
7c917c31b2fc5b94980c833e5165accf0ff0738f777499cb1666401d29af48e273df2b90c988876bdd5f3cd1a8ab795f8e6e8c06ca1189b700127c39a54237f9

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
347KB

MD5
3bd017578711e857925a6dbab9557918

SHA1
b3b703af6a21f2b0e6ad13a21658c34ab8e2d367

SHA256
591b7d23732b6ab61610829dbbeeea2bec2fb0e3992a45a9361ccb9b696900d0

SHA512
8a84d921ccedbbfb72db82df80f910b476a14de18bdc1dbc704c3be5f8ccfac597ec7e499d8de2b148cc1e62dc734d04ed567cf078d8e2cbe5d3159dd3e569f6

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
426KB

MD5
ba67ecc5bf6dbe828a8e8caf1d1ec3dd

SHA1
8c0a55f5d386ac4ce778a1c74ad785d706a3cae4

SHA256
0d42e81e19dfea1181790abe487f9d414c274bb6d8fb669f4a3f274cc70bebfc

SHA512
1854551247283750c4aa710237ce5f4da344de76cdc101039736421eb7fce178690cced99e56155160d538c2d7bb9d5ccbae702c993d88308b08c4796a51a9f0

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
579KB

MD5
df26e9dc7a802b597170923e52b19d5c

SHA1
80ce216b4ea7841382455b88cee389713f3f70d7

SHA256
617a510c5e45f807258bd9a7af33fe99dd0c1edab5f605d0f5e5b4e9c7003282

SHA512
24ab5ad4a5b73aeea85a20bfac5ce1f7f2eb006f6355dffbbe5344707a431ab5cbdde363af8ca4637073a712c8ea4513dd28c218ce89d62b8b1a3f3bc4589367

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
559KB

MD5
5b4e3b8ca24fe745ff25440aec3cdb43

SHA1
df4d4506bc0c0d2ed22396ce27e95fc06ec3e803

SHA256
44b19d3890d3b028f47a4a6146e5dc7aa36be9dfa9ec1251a83211832f9c4e9e

SHA512
6f68b64bc43e981ddea0899dbbd3b4f8681bfd0810532fdaa770ab350b3528a1ab63fda6ea3b9bd562e4834829af816c3b42fc893a0b54a794710f99afa74259

Download Submit
C:\Program Files (x86)\IaOvsBv.exe

Filesize
324KB

MD5
650ec95259e726f582ee08e77c1f2c30

SHA1
08894ec2fcb938cd9d674722aa16a852e04d6c2b

SHA256
d23e7a7d997cff30d9ff0a815b61b9d053c720dfdc18aa765915473798a243a4

SHA512
21de01eaddd62081cedbda1c8f22b19ae361c06fd6fa85e74f2674ba74797d598f43326887a2ca88cd0b359b180b137b5cbe02a41e24437b6c864c6b799e416b

Download Submit
memory/748-30-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/748-0-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/748-15-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1616-13-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/1616-23-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2372-26-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/2372-24-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3092-35-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3092-22-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3760-10-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3760-27-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3892-16-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3892-25-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/3892-19-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/4960-40-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4960-38-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4960-73-0x00000000040F0000-0x00000000040FB000-memory.dmp

Filesize
44KB

Download
memory/4960-70-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4960-32-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/4960-33-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/4960-34-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4960-69-0x00000000007D0000-0x00000000007DB000-memory.dmp

Filesize
44KB

Download
memory/4960-37-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4960-28-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4960-39-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/4960-41-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/4960-42-0x00000000040F0000-0x00000000040FB000-memory.dmp

Filesize
44KB

Download
memory/4960-43-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/4960-36-0x00000000040F0000-0x00000000040FB000-memory.dmp

Filesize
44KB

Download
memory/4964-18-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4964-1-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download
memory/4964-3-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/4964-31-0x0000000000400000-0x0000000000503B78-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing