24a3ed0feb96f83465332092d5c854f0b5f596f3406e38fe78b3124bd2a18948

General

Target

jdc_1.2.13274_NEW.exe
Size

172.7MB
MD5

1450cfd6060d98c0c3c3ba6c7733cef0
SHA1

d777d16eec28e677219915d5e814c41a6ba02328
SHA256

24a3ed0feb96f83465332092d5c854f0b5f596f3406e38fe78b3124bd2a18948
SHA512

8df4016f625bc2a89e578c3d298174cf033e9f2079816517b8e763b6a1cf204e7300e6a2fe1188cc6dc8cd48b7dfe6fadd3f07d765cbae63134919a6cbdab67b
SSDEEP

3145728:IXaaR11EqP1JnSbnMUw2KERa9ojdSyL4fP/HXMnF1UPHIPpxwNG:m1BP1JnSI+RmsdH4fnE6Kpx9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2720	jdc_1.2.13274_NEW.tmp
728	Launcher64.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	jdc_1.2.13274_NEW.exe
2720	jdc_1.2.13274_NEW.tmp
2720	jdc_1.2.13274_NEW.tmp
2720	jdc_1.2.13274_NEW.tmp
728	Launcher64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdc_1.2.13274_NEW.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdc_1.2.13274_NEW.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	jdc_1.2.13274_NEW.tmp
2720	jdc_1.2.13274_NEW.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	jdc_1.2.13274_NEW.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2260 wrote to memory of 2720	2260	jdc_1.2.13274_NEW.exe	30
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35
PID 2720 wrote to memory of 728	2720	jdc_1.2.13274_NEW.tmp	35

C:\Users\Admin\AppData\Local\Temp\jdc_1.2.13274_NEW.exe
"C:\Users\Admin\AppData\Local\Temp\jdc_1.2.13274_NEW.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\is-F5H42.tmp\jdc_1.2.13274_NEW.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F5H42.tmp\jdc_1.2.13274_NEW.tmp" /SL5="$30152,180427900,227840,C:\Users\Admin\AppData\Local\Temp\jdc_1.2.13274_NEW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Ubisoft\舞力全开：活力派\Launcher64.exe
    "C:\Ubisoft\舞力全开：活力派\Launcher64.exe" -popupwindow
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Ubisoft\舞力全开：活力派\Launcher64.exe

Filesize
16.0MB

MD5
12527535065d895bffc316bbb373ac9a

SHA1
343d71c99b4dd395e3fd4d02e83142db58470ed2

SHA256
03eb035777a94e4744eb732f9e476e448a65cf7c745a00b4d986b49594e7d7a7

SHA512
e1bf213bd10de84d77f9e2f56b9d343a3f76840e688f52d82ac94a3ec8d6cbbe1204d77458aeca26e7f80fa96aaf229851b6c8549cb51989adbd70f158a8503c

Download Submit
C:\Ubisoft\舞力全开：活力派\Launcher64_Data\Managed\mscorlib.dll

Filesize
2.4MB

MD5
361219cecd48f1aa33de3834e6c598f9

SHA1
3dfb7e96d55978c26fa0a52914dc382c02180b6e

SHA256
c6a4fb455edcdfc79650914ac0a3c702b839a21d77b5e480191ba491e248f56e

SHA512
1155eacb7d65d98707993e19e5f4572629d18ff9989d2f529f5f47537cb5e92ee4e346d0c9196a7ea7f06c4aea8875e6d17605dd73cdbfe36e390ded09a52f30

Download Submit
C:\Ubisoft\舞力全开：活力派\Launcher64_Data\globalgamemanagers

Filesize
22KB

MD5
fefbc9f94de8bc3ec735f968260cb978

SHA1
44f72a5b7635146f4a2b53512bff0d03bab5e087

SHA256
93e0cc8c9f4a309b82275141d99d3c4ce60bd9ea6e4ae6ea07ffbd3a32fc2dfe

SHA512
02e2507e321b1714f2dbd7df9f186f699c2dca5cb4c77c4ef3ff51c5a95ea15012639e60bc3dcf6d1f5294a324aef5a51fdaf97abcb7b470a6942c49aee7c7c3

Download Submit
\Ubisoft\舞力全开：活力派\Launcher64_Data\Mono\mono.dll

Filesize
2.0MB

MD5
c42dc129afc562386d05ca81041fdc3a

SHA1
87c63ffd52b10a564d55dab10375d513a8ed46c3

SHA256
90c9f4af0607108ee2e099cbc318f67c1305499999cbc825062da46c4e4f2c45

SHA512
aec5552966e1594ea1f3af1f49f41891da5487038ed08dcee07e353be88fe3aa77e05e636eb6f2796be23eb8e0cd354000a2fd73930e8d5c2e2a66d7fd0c9b54

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5H42.tmp\jdc_1.2.13274_NEW.tmp

Filesize
1.2MB

MD5
1c3a9623b47eb26bb636041dace468b2

SHA1
24ffaa96390363d81d150d9867343065215d1d4f

SHA256
14b6965bdcadb58a8153b5fcf6f979dda70d585ab91199b993ed0cec1defad5d

SHA512
c6333a1fe2681812e1535b939a7c73e2a0782b6677da70cfd7320721145599cea7573cb994fd9a601ec1c02193cba6b159ece0d357b26c31af9f2cbcff0a5097

Download Submit
memory/2260-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2260-807-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-11-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-16-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-619-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-12-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-794-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-8-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download
memory/2720-806-0x0000000000400000-0x0000000000547000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing