bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02

General

Target

bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
Size

2.6MB
MD5

c98e6d9f5b3beaa1ecf94fe5522dca2a
SHA1

970f94386b7c82147d962b1d963221475e2c5422
SHA256

bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02
SHA512

f1bf879de9bbe20b8706441d9b5b9b7d7773d6ab3102456211c179c0e2b57778ba9fb5123e6e16bdede4a05562422429cddc60329b1db2f125846ea5250c4aca
SSDEEP

24576:Fn8wP+mjsy20TcP9Na9JDUfoQBtpvtCIfhPHkUKnpa7RZqZl+9wxTBPQXREgw:XTjsyt8vaTDUfopyR4gqKy5Bo6gw

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe

Executes dropped EXE 2 IoCs

pid	Process
1668	abcxycckvr.exe
4640	abcxycckvr.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\XYRadish\unins000.dat	abcxycckvr.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\ScreenCapture.exe	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\unins000.dat	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-8UQMQ.tmp	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-L3PKG.tmp	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-ILOR8.tmp	abcxycckvr.tmp
File opened for modification	C:\Program Files (x86)\XYRadish\libEGL.dll	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-DQPGA.tmp	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-57JO6.tmp	abcxycckvr.tmp
File created	C:\Program Files (x86)\XYRadish\is-9RSH4.tmp	abcxycckvr.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
4640	abcxycckvr.tmp
4640	abcxycckvr.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4640	abcxycckvr.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1780	1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	91
PID 1900 wrote to memory of 1780	1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	91
PID 1900 wrote to memory of 1780	1900	bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe	91
PID 1780 wrote to memory of 1668	1780	cmd.exe	94
PID 1780 wrote to memory of 1668	1780	cmd.exe	94
PID 1780 wrote to memory of 1668	1780	cmd.exe	94
PID 1668 wrote to memory of 4640	1668	abcxycckvr.exe	95
PID 1668 wrote to memory of 4640	1668	abcxycckvr.exe	95
PID 1668 wrote to memory of 4640	1668	abcxycckvr.exe	95

C:\Users\Admin\AppData\Local\Temp\bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe
"C:\Users\Admin\AppData\Local\Temp\bc69d54359d155acb2371f771a175362637bf40e9fe109578642e33bba27aa02.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\abcxycckvr.exe" /VERYSILENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\abcxycckvr.exe
    "C:\Users\Admin\AppData\Local\Temp\abcxycckvr.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\is-2ON69.tmp\abcxycckvr.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2ON69.tmp\abcxycckvr.tmp" /SL5="$D0202,150686,54272,C:\Users\Admin\AppData\Local\Temp\abcxycckvr.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abcxycckvr.exe

Filesize
446KB

MD5
84e9fe774a5f14512c5b23ac3fd41304

SHA1
a503ab93af16de8be4f303ae145ada68ea9a7843

SHA256
7ae568a3f72711d951aaa97c5b7e4dd1494be3cacda512f8226740000db1c679

SHA512
04b85fa32434dbf4d09b04a148fd2cb0fdffcafe1b5304d89f7a4b549a09f55779908de2c9895a8a3ed0bfb79fbf7ffe932bdee389e3ba6a5c7bf4bb345271b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2ON69.tmp\abcxycckvr.tmp

Filesize
900KB

MD5
f8b110dc2063d3b29502aa7042d26122

SHA1
1a0fd3db79eadc1ce714f6267d476ddbec0f5e79

SHA256
e8730b0bf8f94cbb8babbfefb32cef8e8d19ec823f28c33a7d48c78589710762

SHA512
f3125d3f575aff68105ebb3eadbce30547d34e12237d8ebbc555c6fe12bcc0a5ea85a38e26f2900d70af70ec07efde3b8cd65dc0fdada637496531245ea5052f

Download Submit
memory/1668-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1668-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-0-0x0000000000500000-0x0000000000799000-memory.dmp

Filesize
2.6MB

Download
memory/1900-1-0x0000000010000000-0x0000000010284000-memory.dmp

Filesize
2.5MB

Download
memory/4640-15-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/4640-43-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing