90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc41bcfc78505d063a7c75acbf23616.exe
Size

235KB
MD5

0cc41bcfc78505d063a7c75acbf23616
SHA1

87e772597573fbaef0530c500064ee1a9b3acac1
SHA256

90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f
SHA512

f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305
SSDEEP

3072:YSm2cstIDf/WwUgKSIzKvsTWW+PV9LGjgrzRe1anbl7Okb0EgzwfWPwC5y7qv:IzshBpKvsTWW29y8hnblj03EZN7qv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Interactive BranchCache Firewall Receiver = "C:\\Users\\Admin\\Local Settings\\Application Data\\llxfatvcpxvzw\\bsjzpzieyfdx.exe"	0cc41bcfc78505d063a7c75acbf23616.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
1272	jxbcilol.exe
1272	jxbcilol.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe
2984	bsjzpzieyfdx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 2984	3364	0cc41bcfc78505d063a7c75acbf23616.exe	39
PID 3364 wrote to memory of 2984	3364	0cc41bcfc78505d063a7c75acbf23616.exe	39
PID 3364 wrote to memory of 2984	3364	0cc41bcfc78505d063a7c75acbf23616.exe	39
PID 2984 wrote to memory of 1272	2984	bsjzpzieyfdx.exe	38
PID 2984 wrote to memory of 1272	2984	bsjzpzieyfdx.exe	38
PID 2984 wrote to memory of 1272	2984	bsjzpzieyfdx.exe	38

C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe
"C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe
  "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe
WATCHDOGPROC "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
69KB

MD5
2d30faa268161f5ba89c1be640813669

SHA1
864b36bb07b0fc925378f5bb25a007f4b5b18896

SHA256
4bba6c3a8b30dfcda10f7b6ba395235517ff553e78d8ba0f0ae66602c50ec7b8

SHA512
23468620ce1cdfea30a6d1223f943f4689e73fa218b533117e1555648f9c6368747d5b14c968ded11a09575d3b91acd6318194bed3cbae03ee12716aa50aa3de

Download Submit
C:\Users\Admin\AppData\Local\llxfatvcpxvzw\jxbcilol.exe

Filesize
35KB

MD5
f723193533c72e7fb2336e123ab927b7

SHA1
d14d39644d04378facf197e14ddee8123e12968d

SHA256
ce23f6ff1aefc0c4b6a7c719cd86137d94ef2616d95b3e527a33bf5628d72d49

SHA512
e88d850656722d6a6687e66959749ad5e25f806a025b98ce24450f64848f1e97fdf9f8a82980f2296ddff4646b8c10a8c73e285035d3640426065e28ab4a9f27

Download Submit
C:\Users\Admin\AppData\Local\llxfatvcpxvzw\jxbcilol.exe

Filesize
84KB

MD5
04d25f77c6b4892299af1a758ebecc81

SHA1
0f37d668892affb653446c1060c0e4c2fed806de

SHA256
891426813c007b8159354b4a3bc88589b4fb464977d019507533981ae8a24b7b

SHA512
0e5aa022bde6364374e606d3f8dafa42e3fa27dbdb1f0b0ddca4b618566dca82bbc54326796625246ac105046a6d984750b3d13f7093dd517edcceb8f7467f0c

Download Submit
C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
21KB

MD5
dc96c61173f15e52047f7cf2a1362746

SHA1
3743b4a6c84498bf1394dac2f8bd5d45a79e6671

SHA256
817d5ca60effc96bcdda302b80623da5643b026e82bc2833b9cd736e020fd9e8

SHA512
83c22197f66cea8daf91c131ec44b6917402494da6cbc3b5b8dad1f1d49cad7f324a178ff4cf1a5a850b67a8f2cdefe2bcf4c29848ef5eeee62c00706753d780

Download Submit
C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe

Filesize
83KB

MD5
d38b6b338f3642450c12de4057bab766

SHA1
340c3d187d9ae6804ffec467039c61fd38c2fe97

SHA256
e20f2756e4f58a3cc7a6d48b1668e1e595a073f9b5cada5bcad018cdc19e426a

SHA512
168d4601bd59b17d10bee3457364ef242cd4042cd30c3339ec5de6dcff2780c1fd8bccc920e370fd4a1313ee8624db58c299be9ddda83816c0546cca9eadc3f0

Download Submit