90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc41bcfc78505d063a7c75acbf23616.exe
Size

235KB
MD5

0cc41bcfc78505d063a7c75acbf23616
SHA1

87e772597573fbaef0530c500064ee1a9b3acac1
SHA256

90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f
SHA512

f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305
SSDEEP

3072:YSm2cstIDf/WwUgKSIzKvsTWW+PV9LGjgrzRe1anbl7Okb0EgzwfWPwC5y7qv:IzshBpKvsTWW29y8hnblj03EZN7qv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe

Loads dropped DLL 4 IoCs

pid	Process
2984	0cc41bcfc78505d063a7c75acbf23616.exe
2984	0cc41bcfc78505d063a7c75acbf23616.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interactive BranchCache Firewall Receiver = "C:\\Users\\Admin\\Local Settings\\Application Data\\llxfatvcpxvzw\\bsjzpzieyfdx.exe"	0cc41bcfc78505d063a7c75acbf23616.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
2232	bsjzpzieyfdx.exe
1552	jxbcilol.exe
2232	bsjzpzieyfdx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2232	2984	0cc41bcfc78505d063a7c75acbf23616.exe	29
PID 2984 wrote to memory of 2232	2984	0cc41bcfc78505d063a7c75acbf23616.exe	29
PID 2984 wrote to memory of 2232	2984	0cc41bcfc78505d063a7c75acbf23616.exe	29
PID 2984 wrote to memory of 2232	2984	0cc41bcfc78505d063a7c75acbf23616.exe	29
PID 2232 wrote to memory of 1552	2232	bsjzpzieyfdx.exe	28
PID 2232 wrote to memory of 1552	2232	bsjzpzieyfdx.exe	28
PID 2232 wrote to memory of 1552	2232	bsjzpzieyfdx.exe	28
PID 2232 wrote to memory of 1552	2232	bsjzpzieyfdx.exe	28

C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe
"C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe
  "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232

C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe
WATCHDOGPROC "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
14KB

MD5
8950bf801fb0163b068c9617cdcfcabc

SHA1
5f4ac7a614186c1b07b2b67a3bd4b0834f2b9c5c

SHA256
4f200c92b187441f1d67d2a3b96f99a50b15e1b9276a44bb114ce11e587e5d75

SHA512
4686ef371b4ac0a1b1b18d5d69d5720c72c1af1e6f04d3e37b2ba9c38f4fe24cca5e86e1b98c0336919343ec4a2d514630a9246a58c020e64a43e41cbfa87f65

Download Submit
C:\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
8KB

MD5
42ec541f9145fc03a3d2790e225fa58f

SHA1
4e29eca0932615827ffd12743c967c0a0927835f

SHA256
24ba1146092024523258cdfd3878ee8eafedbada0cb952a619a679bbff4602d8

SHA512
5e290f56c72a35f463a17a896173426bdf7f4191f2250daa47666dd3fbec5cf2baa7e491edc4efd3fe11db5c8115641dd2b92017f13cd95691ecc0adcfb420db

Download Submit
\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
47KB

MD5
4040b32533023151d389189263d61a60

SHA1
f14c5ee5f4f61ef9093059b3715c47a4a1dd2f9b

SHA256
1891cf8f0eeb8f591d19bd1d946c32d347a0186d31e284795d35e877eb215370

SHA512
bd0486d8e6f7aeff680415677929c83f827919c4d77dc0b0d5ec7b50ede0c151e4ac8b14fc6eaf238a7f76470e440c303ab2f8f3affe9d89e1de6955434986c2

Download Submit
\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
16KB

MD5
0aaa8f18aa13d17696d40cf7aaea4926

SHA1
31723b2b1bd2fc7ae3603bf106e796a6f5c6d549

SHA256
7a0e03be3f743147b5b1708de19cb9cc186472179472a57fc5bf1fb900be9a14

SHA512
84606fea0fe0b2b932f6fcfd94269fbbc21d1bce327cf63cae4ac1b6b3ab0fee9bbe6523ff841cb2c9b56274e56f145f47f0e8d2cb363eb5af5535b28f0deb0f

Download Submit