1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
Size

582KB
MD5

0ffabc343a0176a90847e7bca7fce754
SHA1

82b796ee090354ec6f5e79d7b3a015cd10b71e1d
SHA256

1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8
SHA512

b3208372acac17771b566723e229140e021b1ecb187e1168bccfc3f981e3c50c7a5432f74708c3f4610841373cd72d136b3ba1f2e958a72544136b5583f27c43
SSDEEP

12288:+V4OTXvuoY8QrRVGsnsVS4A0KIfPnHWYInvrlPmqhbkC+7K7i2u6L8heV:+V4OTW78QrR0rXKI3navpPmCbib6LD

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4876	RedGirl.exe
2328	RedGirl.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RedGirl.exe	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
File opened for modification	C:\Windows\SysWOW64\RedGirl.exe	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
4876	RedGirl.exe
4876	RedGirl.exe
4876	RedGirl.exe
4876	RedGirl.exe
2328	RedGirl.exe
2328	RedGirl.exe
2328	RedGirl.exe
2328	RedGirl.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 4876	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	82
PID 4100 wrote to memory of 4876	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	82
PID 4100 wrote to memory of 4876	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	82
PID 4100 wrote to memory of 2252	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	85
PID 4100 wrote to memory of 2252	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	85
PID 4100 wrote to memory of 2252	4100	1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe	85

C:\Users\Admin\AppData\Local\Temp\1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe
"C:\Users\Admin\AppData\Local\Temp\1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\RedGirl.exe
  C:\Windows\System32\RedGirl.exe 1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Temp\tmp.bat
  2⤵
  PID:2252

C:\Windows\SysWOW64\RedGirl.exe
C:\Windows\SysWOW64\RedGirl.exe -service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RedGirl.exe

Filesize
582KB

MD5
0ffabc343a0176a90847e7bca7fce754

SHA1
82b796ee090354ec6f5e79d7b3a015cd10b71e1d

SHA256
1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8

SHA512
b3208372acac17771b566723e229140e021b1ecb187e1168bccfc3f981e3c50c7a5432f74708c3f4610841373cd72d136b3ba1f2e958a72544136b5583f27c43

Download Submit
C:\Windows\SysWOW64\RedGirl.exe

Filesize
582KB

MD5
0ffabc343a0176a90847e7bca7fce754

SHA1
82b796ee090354ec6f5e79d7b3a015cd10b71e1d

SHA256
1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8

SHA512
b3208372acac17771b566723e229140e021b1ecb187e1168bccfc3f981e3c50c7a5432f74708c3f4610841373cd72d136b3ba1f2e958a72544136b5583f27c43

Download Submit
C:\Windows\SysWOW64\RedGirl.exe

Filesize
582KB

MD5
0ffabc343a0176a90847e7bca7fce754

SHA1
82b796ee090354ec6f5e79d7b3a015cd10b71e1d

SHA256
1bf72b21b9327e9edd39a9bb6582a629a05fd920ca718a9ab0dd9a5cbbf7e0d8

SHA512
b3208372acac17771b566723e229140e021b1ecb187e1168bccfc3f981e3c50c7a5432f74708c3f4610841373cd72d136b3ba1f2e958a72544136b5583f27c43

Download Submit
C:\Windows\Temp\tmp.bat

Filesize
299B

MD5
e4c3bc919792f1d14d4f524898901224

SHA1
e7998d1a90d5e75a49675a9799fb94e2ade0bb4d

SHA256
088206e3664961fea2133ca76a903435851ab11f52ac15f958374bf01eaf9937

SHA512
473f826b8cce1e37acf37e2202be3744b243f71a53dac498002d0426326edc41922f93b3208b9057093e981c6bf9b76d5814a4a6289710509b5af35563fc6a3d

Download Submit
C:\Windows\Temp\ÎÒµÄÐÂÕÕÆ¬.jpg

Filesize
133KB

MD5
34f882d671e725504d87d65ada915ab6

SHA1
45694991b4c68de35d9611f8c904398e04476a52

SHA256
724c4c1175e590dab347f8f7460aa639fd3dc2bcf37355eb52bb779b737a8c70

SHA512
2be064ed18918766c71dee9eb7e4ac9a6c0203c05921f52422f94c084fc3d293a5ae2630a21b615f2a2be4ef5cbefb449f3abfdc05261564bad786f99450f828

Download Submit