798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd

General

Target

798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Size

1.1MB
MD5

099af7890c41187686be398fe0fb6798
SHA1

33fe044f72474daea6a8838c17fcf3bdf5b069b9
SHA256

798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd
SHA512

fe22212177b874ff09d1e2a53cac3ddf17927ae8acfab8d25ac045e4ca562112a614a3d21596c41d2d50913fa55600a82c1690bae1df895173083adcfa7dc9af
SSDEEP

24576:ark8EiW2vqy+XBbIRKlCx+JF42Ejs4vE5N4KNFwkj:ark8EiW2yylKlDujs4vWJNFwkj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
328	girl.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: SeIncBasePriorityPrivilege	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: 33	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: SeIncBasePriorityPrivilege	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: 33	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: SeIncBasePriorityPrivilege	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
Token: 33	328	girl.exe
Token: SeIncBasePriorityPrivilege	328	girl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 328	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe	27
PID 1368 wrote to memory of 328	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe	27
PID 1368 wrote to memory of 328	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe	27
PID 1368 wrote to memory of 328	1368	798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe	27

C:\Users\Admin\AppData\Local\Temp\798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe
"C:\Users\Admin\AppData\Local\Temp\798d72b65c53e0321bcb992ca1f2b8a75f8fb7d9305aa1d7d0daa487afaf28fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\Apache HTTP Server\2.2.14\2013.02.01T06.55\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\girl.exe
  "C:\Users\Admin\AppData\Local\Temp\girl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\Apache HTTP Server\2.2.14\2013.02.01T06.55\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\girl.exe

Filesize
17KB

MD5
96db81e75b033a2b58702055cb74cee1

SHA1
ebd8cc59c5a30a3dfc617fa496610dd840fd87e8

SHA256
23c053d93266369c3a7b90c135e09008ab2fa77665b15f3ce99e1773d2ea5dcf

SHA512
b8e03934153e2f0bd08792298fa0b32ad1fb3bec77e8ab822839e468b3e5cc7c1fb73ec285f7504d7adbacdd6b80aa8484e021a9d30ae93561111226bbbe285f

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\Apache HTTP Server\2.2.14\2013.02.01T06.55\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\girl.exe

Filesize
17KB

MD5
96db81e75b033a2b58702055cb74cee1

SHA1
ebd8cc59c5a30a3dfc617fa496610dd840fd87e8

SHA256
23c053d93266369c3a7b90c135e09008ab2fa77665b15f3ce99e1773d2ea5dcf

SHA512
b8e03934153e2f0bd08792298fa0b32ad1fb3bec77e8ab822839e468b3e5cc7c1fb73ec285f7504d7adbacdd6b80aa8484e021a9d30ae93561111226bbbe285f

Download Submit
memory/328-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/328-72-0x0000000000490000-0x0000000000502000-memory.dmp

Filesize
456KB

Download
memory/328-69-0x0000000000490000-0x0000000000502000-memory.dmp

Filesize
456KB

Download
memory/328-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-60-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1368-56-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1368-57-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1368-55-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1368-61-0x00000000021C0000-0x0000000002232000-memory.dmp

Filesize
456KB

Download
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1368-59-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1368-70-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1368-71-0x00000000021C0000-0x0000000002232000-memory.dmp

Filesize
456KB

Download
memory/1368-58-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1368-73-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1368-74-0x00000000021C0000-0x0000000002232000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing