Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
Resource
win10v2004-20241007-en
General
-
Target
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
-
Size
80KB
-
MD5
9457260cd5f9f87716f1dfbc496f53a9
-
SHA1
48a9166aecd7e3d4a833cbddfab1b725b1c08fa7
-
SHA256
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524
-
SHA512
bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62
-
SSDEEP
1536:BteqGDlXvCDB04f5Gn/L8ZlALNtnd17i9wt:Olg35GTclABtnDi9wt
Malware Config
Signatures
-
Processes:
ixbivoav.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixbivoav.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
ixbivoav.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751} ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\IsInstalled = "1" ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43434A42-5654-4751-4343-4A4256544751}\StubPath = "C:\\Windows\\system32\\oupbeder.exe" ixbivoav.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
Processes:
ixbivoav.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ocseatoog.exe" ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ixbivoav.exe -
Executes dropped EXE 2 IoCs
Processes:
ixbivoav.exeixbivoav.exepid Process 1292 ixbivoav.exe 2016 ixbivoav.exe -
Loads dropped DLL 3 IoCs
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exepid Process 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 1292 ixbivoav.exe -
Processes:
ixbivoav.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixbivoav.exe -
Processes:
ixbivoav.exedescription ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger ixbivoav.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
ixbivoav.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\akmisof.dll" ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ixbivoav.exe -
Drops file in System32 directory 9 IoCs
Processes:
ixbivoav.exebc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exedescription ioc Process File created C:\Windows\SysWOW64\akmisof.dll ixbivoav.exe File opened for modification C:\Windows\SysWOW64\ixbivoav.exe bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe File created C:\Windows\SysWOW64\ixbivoav.exe bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe File opened for modification C:\Windows\SysWOW64\oupbeder.exe ixbivoav.exe File opened for modification C:\Windows\SysWOW64\akmisof.dll ixbivoav.exe File opened for modification C:\Windows\SysWOW64\ocseatoog.exe ixbivoav.exe File created C:\Windows\SysWOW64\ocseatoog.exe ixbivoav.exe File created C:\Windows\SysWOW64\oupbeder.exe ixbivoav.exe File opened for modification C:\Windows\SysWOW64\ixbivoav.exe ixbivoav.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ixbivoav.exebc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixbivoav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ixbivoav.exeixbivoav.exepid Process 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 2016 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe 1292 ixbivoav.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exedescription pid Process Token: SeDebugPrivilege 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe Token: SeDebugPrivilege 1292 ixbivoav.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exedescription pid Process procid_target PID 2408 wrote to memory of 1292 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 30 PID 2408 wrote to memory of 1292 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 30 PID 2408 wrote to memory of 1292 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 30 PID 2408 wrote to memory of 1292 2408 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 30 PID 1292 wrote to memory of 428 1292 ixbivoav.exe 5 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 2016 1292 ixbivoav.exe 31 PID 1292 wrote to memory of 2016 1292 ixbivoav.exe 31 PID 1292 wrote to memory of 2016 1292 ixbivoav.exe 31 PID 1292 wrote to memory of 2016 1292 ixbivoav.exe 31 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21 PID 1292 wrote to memory of 1196 1292 ixbivoav.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\ixbivoav.exe"C:\Windows\system32\ixbivoav.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\ixbivoav.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
84KB
MD5dea9e4f621bf62a14d2f3453e237fd75
SHA19e9fef74f10bf15aec1765243c6a23480f9faed3
SHA256edda7f6cecd88be7e50e9170fa5c3d4dcc52fac6d249c26440b8559f95d12684
SHA51261afb1104a6c2f31f96a0ee9b1cd5db307177595aa03aea3baa4f8fd6b11d3a2940fd4186df44b3f79d411aae83864a2d24881975135445ba2b420532db85fd3
-
Filesize
83KB
MD5b8075c687547a07d533ed0244b8246b7
SHA198e9c651a061dcbd82e18e4b57ccd9aaba06962d
SHA256cdf29182bf8a5a4482730919d2987ce547551d75890d9b50ed6043aa2f34246b
SHA512bf8e715c675f494e2698cc570917e40fdd145eb6e43b800543b20e15afbb7dc6a578f5994bf691a55a1ee8e654f1acb6a921bd35ac50080fe88c0a15cebcbebe
-
Filesize
80KB
MD59457260cd5f9f87716f1dfbc496f53a9
SHA148a9166aecd7e3d4a833cbddfab1b725b1c08fa7
SHA256bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524
SHA512bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62