Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 02:12

General

  • Target

    bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe

  • Size

    80KB

  • MD5

    9457260cd5f9f87716f1dfbc496f53a9

  • SHA1

    48a9166aecd7e3d4a833cbddfab1b725b1c08fa7

  • SHA256

    bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524

  • SHA512

    bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62

  • SSDEEP

    1536:BteqGDlXvCDB04f5Gn/L8ZlALNtnd17i9wt:Olg35GTclABtnDi9wt

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1196
        • C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
          "C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Windows\SysWOW64\ixbivoav.exe
            "C:\Windows\system32\ixbivoav.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1292
            • C:\Windows\SysWOW64\ixbivoav.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2016

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\akmisof.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\ocseatoog.exe

        Filesize

        84KB

        MD5

        dea9e4f621bf62a14d2f3453e237fd75

        SHA1

        9e9fef74f10bf15aec1765243c6a23480f9faed3

        SHA256

        edda7f6cecd88be7e50e9170fa5c3d4dcc52fac6d249c26440b8559f95d12684

        SHA512

        61afb1104a6c2f31f96a0ee9b1cd5db307177595aa03aea3baa4f8fd6b11d3a2940fd4186df44b3f79d411aae83864a2d24881975135445ba2b420532db85fd3

      • C:\Windows\SysWOW64\oupbeder.exe

        Filesize

        83KB

        MD5

        b8075c687547a07d533ed0244b8246b7

        SHA1

        98e9c651a061dcbd82e18e4b57ccd9aaba06962d

        SHA256

        cdf29182bf8a5a4482730919d2987ce547551d75890d9b50ed6043aa2f34246b

        SHA512

        bf8e715c675f494e2698cc570917e40fdd145eb6e43b800543b20e15afbb7dc6a578f5994bf691a55a1ee8e654f1acb6a921bd35ac50080fe88c0a15cebcbebe

      • \Windows\SysWOW64\ixbivoav.exe

        Filesize

        80KB

        MD5

        9457260cd5f9f87716f1dfbc496f53a9

        SHA1

        48a9166aecd7e3d4a833cbddfab1b725b1c08fa7

        SHA256

        bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524

        SHA512

        bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62

      • memory/1292-52-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2016-53-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/2408-9-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB