90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc41bcfc78505d063a7c75acbf23616.exe
Size

235KB
MD5

0cc41bcfc78505d063a7c75acbf23616
SHA1

87e772597573fbaef0530c500064ee1a9b3acac1
SHA256

90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f
SHA512

f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305
SSDEEP

3072:YSm2cstIDf/WwUgKSIzKvsTWW+PV9LGjgrzRe1anbl7Okb0EgzwfWPwC5y7qv:IzshBpKvsTWW29y8hnblj03EZN7qv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe

Loads dropped DLL 4 IoCs

pid	Process
1932	0cc41bcfc78505d063a7c75acbf23616.exe
1932	0cc41bcfc78505d063a7c75acbf23616.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interactive BranchCache Firewall Receiver = "C:\\Users\\Admin\\Local Settings\\Application Data\\llxfatvcpxvzw\\bsjzpzieyfdx.exe"	0cc41bcfc78505d063a7c75acbf23616.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe
2440	jxbcilol.exe
2220	bsjzpzieyfdx.exe
2220	bsjzpzieyfdx.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2220	1932	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 1932 wrote to memory of 2220	1932	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 1932 wrote to memory of 2220	1932	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 1932 wrote to memory of 2220	1932	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 2220 wrote to memory of 2440	2220	bsjzpzieyfdx.exe	29
PID 2220 wrote to memory of 2440	2220	bsjzpzieyfdx.exe	29
PID 2220 wrote to memory of 2440	2220	bsjzpzieyfdx.exe	29
PID 2220 wrote to memory of 2440	2220	bsjzpzieyfdx.exe	29

C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe
"C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe
  "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe
    WATCHDOGPROC "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
133KB

MD5
d83c376ab43503ebbace75aa9244adf9

SHA1
a536a37332dbd784ab85e25358ad954945f1199d

SHA256
a4707ab4ad60f8619b24616a113969ff20b8a901a34378a1694216c1ce08fb14

SHA512
6597968a0ed9ce9379c93e1a19cfc2be814bd60fda505e826f35b993e168022b7bfc25c590a0d2cdb056637378930e8c901bde1ee25c47e55f5f8aba55f23e2d

Download Submit
\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
235KB

MD5
0cc41bcfc78505d063a7c75acbf23616

SHA1
87e772597573fbaef0530c500064ee1a9b3acac1

SHA256
90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

SHA512
f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305

Download Submit