Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
Resource
win10v2004-20241007-en
General
-
Target
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
-
Size
80KB
-
MD5
9457260cd5f9f87716f1dfbc496f53a9
-
SHA1
48a9166aecd7e3d4a833cbddfab1b725b1c08fa7
-
SHA256
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524
-
SHA512
bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62
-
SSDEEP
1536:BteqGDlXvCDB04f5Gn/L8ZlALNtnd17i9wt:Olg35GTclABtnDi9wt
Malware Config
Signatures
-
Processes:
ixbivoav.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixbivoav.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
ixbivoav.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\StubPath = "C:\\Windows\\system32\\oupbeder.exe" ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53} ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594841-534f-4c53-4759-4841534F4c53}\IsInstalled = "1" ixbivoav.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
Processes:
ixbivoav.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ocseatoog.exe" ixbivoav.exe -
Executes dropped EXE 2 IoCs
Processes:
ixbivoav.exeixbivoav.exepid Process 2752 ixbivoav.exe 4640 ixbivoav.exe -
Processes:
ixbivoav.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ixbivoav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ixbivoav.exe -
Processes:
ixbivoav.exedescription ioc Process Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger ixbivoav.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
ixbivoav.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\akmisof.dll" ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ixbivoav.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ixbivoav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ixbivoav.exe -
Drops file in System32 directory 9 IoCs
Processes:
ixbivoav.exebc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\ocseatoog.exe ixbivoav.exe File created C:\Windows\SysWOW64\ocseatoog.exe ixbivoav.exe File created C:\Windows\SysWOW64\oupbeder.exe ixbivoav.exe File opened for modification C:\Windows\SysWOW64\akmisof.dll ixbivoav.exe File created C:\Windows\SysWOW64\akmisof.dll ixbivoav.exe File opened for modification C:\Windows\SysWOW64\ixbivoav.exe bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe File created C:\Windows\SysWOW64\ixbivoav.exe bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe File opened for modification C:\Windows\SysWOW64\oupbeder.exe ixbivoav.exe File opened for modification C:\Windows\SysWOW64\ixbivoav.exe ixbivoav.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exeixbivoav.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixbivoav.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ixbivoav.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ixbivoav.exeixbivoav.exepid Process 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 4640 ixbivoav.exe 4640 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe 2752 ixbivoav.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exedescription pid Process Token: SeDebugPrivilege 4980 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe Token: SeDebugPrivilege 2752 ixbivoav.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exeixbivoav.exedescription pid Process procid_target PID 4980 wrote to memory of 2752 4980 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 83 PID 4980 wrote to memory of 2752 4980 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 83 PID 4980 wrote to memory of 2752 4980 bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe 83 PID 2752 wrote to memory of 616 2752 ixbivoav.exe 5 PID 2752 wrote to memory of 4640 2752 ixbivoav.exe 84 PID 2752 wrote to memory of 4640 2752 ixbivoav.exe 84 PID 2752 wrote to memory of 4640 2752 ixbivoav.exe 84 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56 PID 2752 wrote to memory of 3504 2752 ixbivoav.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\ixbivoav.exe"C:\Windows\system32\ixbivoav.exe"3⤵
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Windows security modification
- Indicator Removal: Clear Persistence
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\ixbivoav.exe--k33p4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
80KB
MD59457260cd5f9f87716f1dfbc496f53a9
SHA148a9166aecd7e3d4a833cbddfab1b725b1c08fa7
SHA256bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524
SHA512bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62
-
Filesize
84KB
MD560a59c61b163f6eb02b7cd424426e0af
SHA10551876c7fdfc1dfc693d71c054eb988486b08bc
SHA25659aa7d4ce7f5de0bfae311e258ccbf41de8f351438cb8b5fd096680bd7e6f2c5
SHA512bd0d99fa5b0835fc7b8a703f7a8395f0123cb0d0a2fadbfbfeb7b866c91f3d22622e71ce51799e764538a6851e28e6db629c0ac13173062f89f22b3db6dc5246
-
Filesize
83KB
MD5f36162575bb42b2093f1fd7d587b13df
SHA11e1a5170ac2a7dc8d767d8c3fd13d67d568bc79c
SHA2564316d51bee7e93545d1ec2c9711102031bc604412e4a3f7dbb657645ff7ea2e0
SHA512562d6a57df2d0c6779e54bcbb77b1002f8d82e8d53244f3d0ad8328d7d7c15abd3cd5a503a6cf49371d73e1d935123ebc8a19dfd4d4f3a5a9eb51274c3f1bf25