90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cc41bcfc78505d063a7c75acbf23616.exe
Size

235KB
MD5

0cc41bcfc78505d063a7c75acbf23616
SHA1

87e772597573fbaef0530c500064ee1a9b3acac1
SHA256

90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f
SHA512

f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305
SSDEEP

3072:YSm2cstIDf/WwUgKSIzKvsTWW+PV9LGjgrzRe1anbl7Okb0EgzwfWPwC5y7qv:IzshBpKvsTWW29y8hnblj03EZN7qv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2512	bsjzpzieyfdx.exe
2196	jxbcilol.exe

Loads dropped DLL 4 IoCs

pid	Process
2212	0cc41bcfc78505d063a7c75acbf23616.exe
2212	0cc41bcfc78505d063a7c75acbf23616.exe
2512	bsjzpzieyfdx.exe
2512	bsjzpzieyfdx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interactive BranchCache Firewall Receiver = "C:\\Users\\Admin\\Local Settings\\Application Data\\llxfatvcpxvzw\\bsjzpzieyfdx.exe"	0cc41bcfc78505d063a7c75acbf23616.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2512	bsjzpzieyfdx.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe
2196	jxbcilol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2512	2212	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 2212 wrote to memory of 2512	2212	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 2212 wrote to memory of 2512	2212	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 2212 wrote to memory of 2512	2212	0cc41bcfc78505d063a7c75acbf23616.exe	28
PID 2512 wrote to memory of 2196	2512	bsjzpzieyfdx.exe	29
PID 2512 wrote to memory of 2196	2512	bsjzpzieyfdx.exe	29
PID 2512 wrote to memory of 2196	2512	bsjzpzieyfdx.exe	29
PID 2512 wrote to memory of 2196	2512	bsjzpzieyfdx.exe	29

C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe
"C:\Users\Admin\AppData\Local\Temp\0cc41bcfc78505d063a7c75acbf23616.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe
  "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\jxbcilol.exe
    WATCHDOGPROC "C:\Users\Admin\Local Settings\Application Data\llxfatvcpxvzw\bsjzpzieyfdx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\llxfatvcpxvzw\bsjzpzieyfdx.exe

Filesize
235KB

MD5
0cc41bcfc78505d063a7c75acbf23616

SHA1
87e772597573fbaef0530c500064ee1a9b3acac1

SHA256
90847d5237c1edc67fa1fc5bcf8cbef7dfc6bed8b5d45d458633cc8ee16e4e6f

SHA512
f0317d4f052f5039796613b78281ffbf0ec08c8f4817946ed690420ddf433acb4d27c484396e1b62416699a79070539c4da5c921ccd9277b272d70354599c305

Download Submit