5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Size

2.6MB
MD5

583f6b00c52bd5afc1d8056fc545fca7
SHA1

e820d03d6eac8af0cef5e9737738bec7b491d432
SHA256

5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866
SHA512

e78e58b832a1965889991f235d728661229a1b18a81420d600d695c4b6cd2e4d54ff317591ecd9ec710e49e020b2392b584fc5cfbaeb6f8a07caa4284a3f5130
SSDEEP

49152:RbIrl/Uxldber4n1GVxBQb0OuNoe1IF/E0YoNFaHGuQBffy:RErl/UH9j1sBQbTuNKdEVHGuQdf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2328	jdyvpuueuj.exe
2184	jdyvpuueuj.tmp

Loads dropped DLL 6 IoCs

pid	Process
2680	cmd.exe
2328	jdyvpuueuj.exe
2184	jdyvpuueuj.tmp
2184	jdyvpuueuj.tmp
2184	jdyvpuueuj.tmp
2184	jdyvpuueuj.tmp

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\XYRadish\is-JC3MA.tmp	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\is-1KKG0.tmp	jdyvpuueuj.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\ScreenCapture.exe	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\is-O1UQ8.tmp	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\is-JV52T.tmp	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\is-LUCLE.tmp	jdyvpuueuj.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\libEGL.dll	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\unins000.dat	jdyvpuueuj.tmp
File created	C:\Program Files (x86)\XYRadish\is-0EURC.tmp	jdyvpuueuj.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\unins000.dat	jdyvpuueuj.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
2184	jdyvpuueuj.tmp
2184	jdyvpuueuj.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2184	jdyvpuueuj.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2680	2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	28
PID 2524 wrote to memory of 2680	2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	28
PID 2524 wrote to memory of 2680	2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	28
PID 2524 wrote to memory of 2680	2524	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	28
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2680 wrote to memory of 2328	2680	cmd.exe	30
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31
PID 2328 wrote to memory of 2184	2328	jdyvpuueuj.exe	31

C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
"C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe
    "C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp" /SL5="$A0124,150686,54272,C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
\Program Files (x86)\XYRadish\ScreenCapture.exe

Filesize
242KB

MD5
235b6e53b2ab785da9dac7ded3aa2739

SHA1
8e6d4ee9ed2f01b7dc45b4f032f8d78feed77307

SHA256
1c563ca37788b1fc72d1c3d134f7d0689c0edfc8c4a12579fe45a92385f45a3e

SHA512
b72479b0d03e458ec6da815ed8f2c811ec1f0a6c60bcdae26cf0fa2e92ce964ce56eb81e7610253825fb754eadf19445af57d8ced9a8ff7eaf68b1b527701297

Download Submit
\Program Files (x86)\XYRadish\unins000.exe

Filesize
907KB

MD5
04a36dd3e9af18ce7c7cfa7e7efa0ca5

SHA1
1482b795d71d0ed4d95131c304a7396298c072e8

SHA256
2fbce5b4d83daee2a6ba4cbbce7eb7cecd66a2390f39f792a02d1a9585803f61

SHA512
19351923e2ca22e18a1798b2f6a2d072e9126c30d47c9e4fb0c1b0d42d1a3824f092fec9ea8d43a994aef4a3263226d3534c3e9ad709e138175e2d4b9cf0fa5f

Download Submit
\Users\Admin\AppData\Local\Temp\is-7SAA8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7SAA8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-GAHS9.tmp\jdyvpuueuj.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
\Users\Admin\AppData\Local\Temp\jdyvpuueuj.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
memory/2184-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-49-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2328-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2328-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2524-0-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download