bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
Size

2.6MB
MD5

c98e6d9f5b3beaa1ecf94fe5522dca2a
SHA1

970f94386b7c82147d962b1d963221475e2c5422
SHA256

bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02
SHA512

f1bf879de9bbe20b8706441d9b5b9b7d7773d6ab3102456211c179c0e2b57778ba9fb5123e6e16bdede4a05562422429cddc60329b1db2f125846ea5250c4aca
SSDEEP

24576:Fn8wP+mjsy20TcP9Na9JDUfoQBtpvtCIfhPHkUKnpa7RZqZl+9wxTBPQXREgw:XTjsyt8vaTDUfopyR4gqKy5Bo6gw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2588	jdicaiodup.exe
2748	jdicaiodup.tmp

Loads dropped DLL 6 IoCs

pid	Process
2504	cmd.exe
2588	jdicaiodup.exe
2748	jdicaiodup.tmp
2748	jdicaiodup.tmp
2748	jdicaiodup.tmp
2748	jdicaiodup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\XYRadish\ScreenCapture.exe	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\unins000.dat	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-8N9HM.tmp	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-UF07J.tmp	jdicaiodup.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\libEGL.dll	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-3889E.tmp	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-ER4KL.tmp	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-SMJAU.tmp	jdicaiodup.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\unins000.dat	jdicaiodup.tmp
File created	C:\Program Files (x86)\XYRadish\is-RBVP2.tmp	jdicaiodup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
2748	jdicaiodup.tmp
2748	jdicaiodup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	jdicaiodup.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2504	2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	28
PID 2720 wrote to memory of 2504	2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	28
PID 2720 wrote to memory of 2504	2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	28
PID 2720 wrote to memory of 2504	2720	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	28
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2504 wrote to memory of 2588	2504	cmd.exe	30
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31
PID 2588 wrote to memory of 2748	2588	jdicaiodup.exe	31

C:\Users\Admin\AppData\Local\Temp\bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
"C:\Users\Admin\AppData\Local\Temp\bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe" /VERYSILENT
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe
    "C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\is-T6I5D.tmp\jdicaiodup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-T6I5D.tmp\jdicaiodup.tmp" /SL5="$90120,150686,54272,C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-T6I5D.tmp\jdicaiodup.tmp

Filesize
242KB

MD5
b83a7aa4610b9a8fc656fe411022902b

SHA1
061c0bc1b98c9bad83c375064b96b20dded39417

SHA256
09e9ba7a737edc3f5e60698d743b0056675cce5ffd4d86eb8c77c2640713195a

SHA512
71b55e79903cb2ae1319aff5b677175c6408c1825e66a0a4887092be93c2920c74df5a060868db7417455f96f255a4d25888eddf43205b07ad957c1a0b1f3181

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T6I5D.tmp\jdicaiodup.tmp

Filesize
52KB

MD5
c5ff32e936d39b8ce02c9d98d428fb35

SHA1
ade7b69444c6b4cac4d938a7a3450f62c310d40b

SHA256
c906ff1b378a4663b167bc0ae5700615af80e249cf3f9e7d57f8c13a6f0eb947

SHA512
e74aa5dd623bc7926db627a2d0c4110cb37d485be7b1633947e78507e3b0728a902c1bbeb3543f1f4e1c4162347598dbcdfd56e2d23d14e23c651bfd575e3522

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe

Filesize
324KB

MD5
4e579a6e383709abf6fb947df1299229

SHA1
272a190f047a5fd8620cc95e4ed8bd5547e81b04

SHA256
37bf124f11c496bda9bbc936750bb14a9f6eba6694650690f732ce2bbfd65f21

SHA512
644af8f07cf5dcc1e8e168b5c52f9c3975574d0114a40763788fac0b79499d6320b515c40de9ab329e3089801301788526c077a14003d4c1a6e3cd1bc912b452

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdicaiodup.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
\Program Files (x86)\XYRadish\ScreenCapture.exe

Filesize
242KB

MD5
235b6e53b2ab785da9dac7ded3aa2739

SHA1
8e6d4ee9ed2f01b7dc45b4f032f8d78feed77307

SHA256
1c563ca37788b1fc72d1c3d134f7d0689c0edfc8c4a12579fe45a92385f45a3e

SHA512
b72479b0d03e458ec6da815ed8f2c811ec1f0a6c60bcdae26cf0fa2e92ce964ce56eb81e7610253825fb754eadf19445af57d8ced9a8ff7eaf68b1b527701297

Download Submit
\Program Files (x86)\XYRadish\unins000.exe

Filesize
907KB

MD5
04a36dd3e9af18ce7c7cfa7e7efa0ca5

SHA1
1482b795d71d0ed4d95131c304a7396298c072e8

SHA256
2fbce5b4d83daee2a6ba4cbbce7eb7cecd66a2390f39f792a02d1a9585803f61

SHA512
19351923e2ca22e18a1798b2f6a2d072e9126c30d47c9e4fb0c1b0d42d1a3824f092fec9ea8d43a994aef4a3263226d3534c3e9ad709e138175e2d4b9cf0fa5f

Download Submit
\Users\Admin\AppData\Local\Temp\is-O7QK7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-T6I5D.tmp\jdicaiodup.tmp

Filesize
256KB

MD5
fc52ba8e1b23bb56f79fc6537e5b9e1b

SHA1
0d5c01142b4ac35b51c0b5c3bb92ef3530eb622e

SHA256
c3ffd5563f049a3e65dae27095525dd182e9c72c53f8984f17c2a864495f0362

SHA512
3f3b2552c3dd024989a92874b070c03c91760fdac3eaa6a567d1887b759a78de6c9c2605861aa3cad0a7cd5a986784b1f474a356ea20b73a5590db35b7eb5358

Download Submit
\Users\Admin\AppData\Local\Temp\jdicaiodup.exe

Filesize
415KB

MD5
637d584c6a9bf0cdd2f0299edddb420f

SHA1
bb588e3da5ecd7da2a50eb501616db85febec7de

SHA256
ad075d035d9fe320c5ce1be4a7ebf390f43f15528b929bb91dcb320ff5ac5dc6

SHA512
aaded9dabe1d3206511be21e9e0c154c42568c44dda7b8523ea209144ce71ed92e5f96af03d41e3471692a84b0a4d86317babf3bc8d82bdb9cd1cb5dbd9b06c9

Download Submit
memory/2588-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2588-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2588-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2720-1-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download
memory/2720-0-0x0000000000080000-0x0000000000319000-memory.dmp

Filesize
2.6MB

Download
memory/2748-17-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2748-50-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download