0cdd088afc4cb6d2f0d39b6b05c49398309baafb38309cbe89f222eaa2042f86

General

Target

girlGirlBoys.jpg.dll
Size

1.2MB
MD5

765dd6425582672e4c2cca5929598848
SHA1

32284fcaeb0310f34a1b5fff46f4bd7e8e17251a
SHA256

0cdd088afc4cb6d2f0d39b6b05c49398309baafb38309cbe89f222eaa2042f86
SHA512

8349b824e6001b3cdc7f8d7fa332b2308c6a21c232f54c46bd537778e15214962a319478a790f0a0f5b640d25fb77e442bb92897c3a688fa7ebca496243711eb

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3972 created 3008 3972 regsvr32.exe Explorer.EXE
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 myexternalip.com
25 myexternalip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3972 set thread context of 2644 3972 regsvr32.exe chrome.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1444 net.exe
2388 net.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exechrome.exe

pid process

3972 regsvr32.exe
3972 regsvr32.exe
2644 chrome.exe
2644 chrome.exe

description	pid	process	target process
PID 3972 created 3008	3972	regsvr32.exe	Explorer.EXE

flow	ioc
26	myexternalip.com
25	myexternalip.com

description	pid	process	target process
PID 3972 set thread context of 2644	3972	regsvr32.exe	chrome.exe

pid	process
1444	net.exe
2388	net.exe

pid	process
3972	regsvr32.exe
3972	regsvr32.exe
2644	chrome.exe
2644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe
PID 3972 wrote to memory of 2644	3972	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\girlGirlBoys.jpg.dll
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Windows\SYSTEM32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:1444

C:\Windows\SYSTEM32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:2388

C:\Windows\SYSTEM32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:2400

C:\Windows\SYSTEM32\net.exe
net localgroup administrator
3⤵
PID:3152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrator
4⤵
PID:3960

C:\Windows\SYSTEM32\net.exe
net group /domain admins
3⤵
PID:3360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group /domain admins
4⤵
PID:2256

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\girlGirlBoys.jpg.dll"
1⤵
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-126-0x00000000278C0000-0x00000000278FE000-memory.dmp

Filesize
248KB

Download
memory/1444-127-0x0000000000000000-mapping.dmp

Download
memory/2256-133-0x0000000000000000-mapping.dmp

Download
memory/2388-128-0x0000000000000000-mapping.dmp

Download
memory/2400-129-0x0000000000000000-mapping.dmp

Download
memory/2644-120-0x00007FF6D26477D8-mapping.dmp

Download
memory/2644-119-0x00007FF6D2430000-0x00007FF6D2675000-memory.dmp

Filesize
2.3MB

Download
memory/2644-121-0x00007FF6D2430000-0x00007FF6D2675000-memory.dmp

Filesize
2.3MB

Download
memory/3152-130-0x0000000000000000-mapping.dmp

Download
memory/3360-132-0x0000000000000000-mapping.dmp

Download
memory/3960-131-0x0000000000000000-mapping.dmp

Download
memory/3972-118-0x0000000028150000-0x000000002818E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing