515127d9f53fa203f3ba9cb7b7b4d1cda211294cd80254cb9954e3d7462d309f

General

Target

my_penis_is_hard.lol.exe
Size

903KB
MD5

2ddc3374433159b00c6a9e5f43e2cd82
SHA1

b712be05de623818c6ed708500dc35f225155e59
SHA256

515127d9f53fa203f3ba9cb7b7b4d1cda211294cd80254cb9954e3d7462d309f
SHA512

a7d9367e553476bfe9d43bb28add4f70d7e115f4575664f2d903a544c685b2c3a2d26d5279fdd873f71ccb81fcb7b6f39791216262d1326f1043ced49cd9da9c
SSDEEP

12288:JTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawalBa2Ley+trZNrI0AilFEvxHvB3:JqI4MROxnF7ay6rZlI0AilFEvxHiAl

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe
File created	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	my_penis_is_hard.lol.exe
File created	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1800	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	my_penis_is_hard.lol.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4516	4192	my_penis_is_hard.lol.exe	72
PID 4192 wrote to memory of 4516	4192	my_penis_is_hard.lol.exe	72
PID 4516 wrote to memory of 408	4516	csc.exe	74
PID 4516 wrote to memory of 408	4516	csc.exe	74
PID 4192 wrote to memory of 4228	4192	my_penis_is_hard.lol.exe	76
PID 4192 wrote to memory of 4228	4192	my_penis_is_hard.lol.exe	76
PID 4228 wrote to memory of 1800	4228	cmd.exe	78
PID 4228 wrote to memory of 1800	4228	cmd.exe	78
PID 4228 wrote to memory of 3476	4228	cmd.exe	79
PID 4228 wrote to memory of 3476	4228	cmd.exe	79
PID 4228 wrote to memory of 1452	4228	cmd.exe	80
PID 4228 wrote to memory of 1452	4228	cmd.exe	80
PID 4228 wrote to memory of 4164	4228	cmd.exe	81
PID 4228 wrote to memory of 4164	4228	cmd.exe	81
PID 4228 wrote to memory of 3356	4228	cmd.exe	82
PID 4228 wrote to memory of 3356	4228	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe
"C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drdrxelp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6708.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC66F7.tmp"
    3⤵
    PID:408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{528f7a48-fcb6-46cf-a476-90778f83d512}.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo j "
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe""
    3⤵
    PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo j "
    3⤵
    PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{528f7a48-fcb6-46cf-a476-90778f83d512}.bat"
    3⤵
    PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6708.tmp

Filesize
1KB

MD5
013ee0bb4ec51982ca51e447cfb17b05

SHA1
b0e5c20fab88f3c999edf44814a40a9b22bcf763

SHA256
596786af6b09023ccb6dc66bdf32b798f9aa2644e388bff4a5576c9e3ccdb909

SHA512
8aafe07143e64735c2f0607be38ad3fadb9545c67e3f8e510fb0417a24dbfda9ae2eee8cfff375d645af8a941104fbd752b2a94785e58afca11c6a0e9ae4c90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\drdrxelp.dll

Filesize
76KB

MD5
886512f85c08b2f28ab3f6c11750025d

SHA1
79f4b310d1db89bbc3ed6c3ff167b6d616140bb2

SHA256
bed4331fdd76c315e19a5d8d00925a070a8c989df9210a6e61eb56f9117bc46a

SHA512
8848348ae3bd46d4b651d10002eda3671d0336b0190d42548257720e2f518c220f26d58a4c1892a36d896efb00dc6b2878623893e3459b18d47e77b75f49ab80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{528f7a48-fcb6-46cf-a476-90778f83d512}.bat

Filesize
197B

MD5
dbb00022d94130b4e27dccd144c5d8f7

SHA1
ca7a3070e981b7446f62b17def508abc1f5a005d

SHA256
67fe08af89755b483a6e701dbb78fda03b5f0d3a0c3b710e0671e2c4ee990928

SHA512
03dce8a6317b3d75e6dadbbd0eb2b227ca56bdacb8afc29d2d8803dc6ee77b6b18ce7ec399adc57b44fc8ee45e9ee53f4d9e2f3c7b28672d581dc6ca622ba995

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC66F7.tmp

Filesize
676B

MD5
dc87f5004d25a0286787cbbf08e02ad3

SHA1
79d1a9f05542176be3b4e873ecaec3b15d3cd2bd

SHA256
a57b521d85119325ce94b76f9f38e9332e46e99dad5c4e827785429a662697ce

SHA512
10d74c740c6a0801a607155f44e43b87add8186f4c63322dd8b8de3786f5b94ce5e54712ef82bda131f72a69a5a412147d6d1a341a0b1a275bd4579dbc42f72c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drdrxelp.0.cs

Filesize
208KB

MD5
be8874c0f4eb03ccfa85d944639f592d

SHA1
5b1ae9412ad8ab872c808c788f3bf672aaae797e

SHA256
dee005d5fd95f1db28b63aa917c64bcfe7468485d85adecf6ce18a61a4522ddd

SHA512
d641a6ad95e85b77ce3bb13104912cef2a584f5a4446fc387f240e32ebfc9fb91ae93a6b26f7971a3ea4db690e4b3cdddc979d2f877ee478660a79b698c7f5b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\drdrxelp.cmdline

Filesize
349B

MD5
af690e9744253c1d27e7ca3bf951a728

SHA1
1bba2e2b8dfdc502ebe851bcd4a788fc77387bfd

SHA256
e5aec5ead11867fc518dc2a227c06c14aecb2c2394793cd4026bbce61f69b03d

SHA512
1fb865420b8733cc58d142a43adca36798088a34c334badf0f4a93855362053be2ae1b0b1c3db6e614c38197af262c08de397dcd0e2471bbcd0e9b39c1665d8f

Download Submit
memory/4192-28-0x000000001B280000-0x000000001B288000-memory.dmp

Filesize
32KB

Download
memory/4192-33-0x000000001E560000-0x000000001E650000-memory.dmp

Filesize
960KB

Download
memory/4192-7-0x000000001B9F0000-0x000000001BEBE000-memory.dmp

Filesize
4.8MB

Download
memory/4192-6-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-1-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-5-0x000000001B440000-0x000000001B44E000-memory.dmp

Filesize
56KB

Download
memory/4192-52-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-23-0x000000001C560000-0x000000001C576000-memory.dmp

Filesize
88KB

Download
memory/4192-2-0x000000001B2A0000-0x000000001B2FC000-memory.dmp

Filesize
368KB

Download
memory/4192-25-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/4192-26-0x000000001C590000-0x000000001C5A8000-memory.dmp

Filesize
96KB

Download
memory/4192-27-0x000000001B290000-0x000000001B2A0000-memory.dmp

Filesize
64KB

Download
memory/4192-0-0x00007FFB5D725000-0x00007FFB5D726000-memory.dmp

Filesize
4KB

Download
memory/4192-31-0x000000001D320000-0x000000001D382000-memory.dmp

Filesize
392KB

Download
memory/4192-32-0x000000001DFA0000-0x000000001E55A000-memory.dmp

Filesize
5.7MB

Download
memory/4192-8-0x000000001BEC0000-0x000000001BF5C000-memory.dmp

Filesize
624KB

Download
memory/4192-34-0x000000001D3F0000-0x000000001D40E000-memory.dmp

Filesize
120KB

Download
memory/4192-35-0x000000001D420000-0x000000001D469000-memory.dmp

Filesize
292KB

Download
memory/4192-36-0x000000001E6D0000-0x000000001E740000-memory.dmp

Filesize
448KB

Download
memory/4192-37-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-38-0x000000001E9F0000-0x000000001EB2C000-memory.dmp

Filesize
1.2MB

Download
memory/4192-39-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-40-0x00007FFB5D725000-0x00007FFB5D726000-memory.dmp

Filesize
4KB

Download
memory/4192-41-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-42-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-43-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-44-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4192-45-0x000000001F070000-0x000000001F1A6000-memory.dmp

Filesize
1.2MB

Download
memory/4192-46-0x000000001C970000-0x000000001C9BE000-memory.dmp

Filesize
312KB

Download
memory/4192-47-0x000000001CFF0000-0x000000001D009000-memory.dmp

Filesize
100KB

Download
memory/4516-21-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download
memory/4516-17-0x00007FFB5D470000-0x00007FFB5DE10000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing