5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866

General

Target

5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
Size

2.6MB
MD5

583f6b00c52bd5afc1d8056fc545fca7
SHA1

e820d03d6eac8af0cef5e9737738bec7b491d432
SHA256

5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866
SHA512

e78e58b832a1965889991f235d728661229a1b18a81420d600d695c4b6cd2e4d54ff317591ecd9ec710e49e020b2392b584fc5cfbaeb6f8a07caa4284a3f5130
SSDEEP

49152:RbIrl/Uxldber4n1GVxBQb0OuNoe1IF/E0YoNFaHGuQBffy:RErl/UH9j1sBQbTuNKdEVHGuQdf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3372	bcqqblosrm.exe
4888	bcqqblosrm.tmp

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\XYRadish\is-SDAJ0.tmp	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\is-HG24F.tmp	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\is-K90Q0.tmp	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\is-C4ET0.tmp	bcqqblosrm.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\unins000.dat	bcqqblosrm.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\ScreenCapture.exe	bcqqblosrm.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\libEGL.dll	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\is-89B1C.tmp	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\unins000.dat	bcqqblosrm.tmp
File created	C:\Program Files (x86)\XYRadish\is-L6505.tmp	bcqqblosrm.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
4888	bcqqblosrm.tmp
4888	bcqqblosrm.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4888	bcqqblosrm.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 3872	900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	81
PID 900 wrote to memory of 3872	900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	81
PID 900 wrote to memory of 3872	900	5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe	81
PID 3872 wrote to memory of 3372	3872	cmd.exe	83
PID 3872 wrote to memory of 3372	3872	cmd.exe	83
PID 3872 wrote to memory of 3372	3872	cmd.exe	83
PID 3372 wrote to memory of 4888	3372	bcqqblosrm.exe	85
PID 3372 wrote to memory of 4888	3372	bcqqblosrm.exe	85
PID 3372 wrote to memory of 4888	3372	bcqqblosrm.exe	85

C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe
"C:\Users\Admin\AppData\Local\Temp\5b4f79eabdb56a470fb9e6a85c2ee6dd0bbc91543a4538d1389e987e66bcf866.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe
    "C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp" /SL5="$13003C,150686,54272,C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcqqblosrm.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JNU6G.tmp\bcqqblosrm.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/900-0-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download
memory/3372-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3372-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4888-18-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4888-43-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing