Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 02:12

General

  • Target

    bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe

  • Size

    80KB

  • MD5

    9457260cd5f9f87716f1dfbc496f53a9

  • SHA1

    48a9166aecd7e3d4a833cbddfab1b725b1c08fa7

  • SHA256

    bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524

  • SHA512

    bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62

  • SSDEEP

    1536:BteqGDlXvCDB04f5Gn/L8ZlALNtnd17i9wt:Olg35GTclABtnDi9wt

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3504
        • C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe
          "C:\Users\Admin\AppData\Local\Temp\bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Windows\SysWOW64\ixbivoav.exe
            "C:\Windows\system32\ixbivoav.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\ixbivoav.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4640

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\akmisof.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • C:\Windows\SysWOW64\ixbivoav.exe

        Filesize

        80KB

        MD5

        9457260cd5f9f87716f1dfbc496f53a9

        SHA1

        48a9166aecd7e3d4a833cbddfab1b725b1c08fa7

        SHA256

        bc066aae21f879781dc09c6295181109ed4bc9acff4789850589f89f630a5524

        SHA512

        bf464c469eb2da0910972aef8a72b9bbffaba2484183ac76d3d092ad1603f37588d6add805e27a8b6d954cc5cfc419cea2ba6e84785f48fc69fdf48cca5d8d62

      • C:\Windows\SysWOW64\ocseatoog.exe

        Filesize

        84KB

        MD5

        60a59c61b163f6eb02b7cd424426e0af

        SHA1

        0551876c7fdfc1dfc693d71c054eb988486b08bc

        SHA256

        59aa7d4ce7f5de0bfae311e258ccbf41de8f351438cb8b5fd096680bd7e6f2c5

        SHA512

        bd0d99fa5b0835fc7b8a703f7a8395f0123cb0d0a2fadbfbfeb7b866c91f3d22622e71ce51799e764538a6851e28e6db629c0ac13173062f89f22b3db6dc5246

      • C:\Windows\SysWOW64\oupbeder.exe

        Filesize

        83KB

        MD5

        f36162575bb42b2093f1fd7d587b13df

        SHA1

        1e1a5170ac2a7dc8d767d8c3fd13d67d568bc79c

        SHA256

        4316d51bee7e93545d1ec2c9711102031bc604412e4a3f7dbb657645ff7ea2e0

        SHA512

        562d6a57df2d0c6779e54bcbb77b1002f8d82e8d53244f3d0ad8328d7d7c15abd3cd5a503a6cf49371d73e1d935123ebc8a19dfd4d4f3a5a9eb51274c3f1bf25

      • memory/2752-46-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4640-47-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4980-5-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB