90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc41bcfc78505d063a7c75acbf23616.exe
Size

235KB
MD5

0cc41bcfc78505d063a7c75acbf23616
SHA1

87e772597573fbaef0530c500064ee1a9b3acac1
SHA256

90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f
SHA512

f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305
SSDEEP

3072:YSm2cstIDf/WwUgKSIzKvsTWW+PV9LGjgrzRe1anbl7Okb0EgzwfWPwC5y7qv:IzshBpKvsTWW29y8hnblj03EZN7qv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Interactive BranchCache Firewall Receiver = "C:\\Users\\Admin\\Local Settings\\Application Data\\llxfatvcpxvzw\\bsjzpzieyfdx.exe"	0cc41bcfc78505d063a7c75acbf23616.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe
4332	jxbcilol.exe
4332	jxbcilol.exe
316	bsjzpzieyfdx.exe
316	bsjzpzieyfdx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 316	456	0cc41bcfc78505d063a7c75acbf23616.exe	91
PID 456 wrote to memory of 316	456	0cc41bcfc78505d063a7c75acbf23616.exe	91
PID 456 wrote to memory of 316	456	0cc41bcfc78505d063a7c75acbf23616.exe	91
PID 316 wrote to memory of 4332	316	bsjzpzieyfdx.exe	92
PID 316 wrote to memory of 4332	316	bsjzpzieyfdx.exe	92
PID 316 wrote to memory of 4332	316	bsjzpzieyfdx.exe	92

C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe
"C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe
  "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe
    WATCHDOGPROC "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
235KB

MD5
0cc41bcfc78505d063a7c75acbf23616

SHA1
87e772597573fbaef0530c500064ee1a9b3acac1

SHA256
90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

SHA512
f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305

Download Submit