515127d9f53fa203f3ba9cb7b7b4d1cda211294cd80254cb9954e3d7462d309f

Analysis

max time kernel
403s
max time network
865s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-06-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

my_penis_is_hard.lol.exe
Size

903KB
MD5

2ddc3374433159b00c6a9e5f43e2cd82
SHA1

b712be05de623818c6ed708500dc35f225155e59
SHA256

515127d9f53fa203f3ba9cb7b7b4d1cda211294cd80254cb9954e3d7462d309f
SHA512

a7d9367e553476bfe9d43bb28add4f70d7e115f4575664f2d903a544c685b2c3a2d26d5279fdd873f71ccb81fcb7b6f39791216262d1326f1043ced49cd9da9c
SSDEEP

12288:JTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawalBa2Ley+trZNrI0AilFEvxHvB3:JqI4MROxnF7ay6rZlI0AilFEvxHiAl

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	my_penis_is_hard.lol.exe
File created	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	my_penis_is_hard.lol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	my_penis_is_hard.lol.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	my_penis_is_hard.lol.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
932	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	my_penis_is_hard.lol.exe
Token: SeDebugPrivilege	1068	whoami.exe
Token: 33	1676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1676	AUDIODG.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2628	2316	my_penis_is_hard.lol.exe	71
PID 2316 wrote to memory of 2628	2316	my_penis_is_hard.lol.exe	71
PID 2628 wrote to memory of 4776	2628	csc.exe	73
PID 2628 wrote to memory of 4776	2628	csc.exe	73
PID 2316 wrote to memory of 4176	2316	my_penis_is_hard.lol.exe	75
PID 2316 wrote to memory of 4176	2316	my_penis_is_hard.lol.exe	75
PID 2316 wrote to memory of 1544	2316	my_penis_is_hard.lol.exe	77
PID 2316 wrote to memory of 1544	2316	my_penis_is_hard.lol.exe	77
PID 1544 wrote to memory of 1068	1544	cmd.exe	79
PID 1544 wrote to memory of 1068	1544	cmd.exe	79
PID 2316 wrote to memory of 4332	2316	my_penis_is_hard.lol.exe	81
PID 2316 wrote to memory of 4332	2316	my_penis_is_hard.lol.exe	81
PID 4332 wrote to memory of 932	4332	cmd.exe	83
PID 4332 wrote to memory of 932	4332	cmd.exe	83
PID 4332 wrote to memory of 2016	4332	cmd.exe	84
PID 4332 wrote to memory of 2016	4332	cmd.exe	84
PID 4332 wrote to memory of 2400	4332	cmd.exe	85
PID 4332 wrote to memory of 2400	4332	cmd.exe	85
PID 4332 wrote to memory of 2344	4332	cmd.exe	86
PID 4332 wrote to memory of 2344	4332	cmd.exe	86
PID 4332 wrote to memory of 3176	4332	cmd.exe	87
PID 4332 wrote to memory of 3176	4332	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe
"C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uficrtsn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA51.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA50.tmp"
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:4176
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{065e472e-eaef-4c97-abc7-b843a491a95d}.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo j "
    3⤵
    PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\my_penis_is_hard.lol.exe""
    3⤵
    PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo j "
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{065e472e-eaef-4c97-abc7-b843a491a95d}.bat"
    3⤵
    PID:3176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEA51.tmp

Filesize
1KB

MD5
e179fdfb2ccc99924ee8c536631a40c7

SHA1
10b7219478243bb5fdb70564a4cd8554643cdb69

SHA256
82bbf2510d19fd86e87bcd45466d3bb784ce2993a6dfb54593615ae1994d572c

SHA512
f66b27d2093dc4364454b1f36161af4317f1fa6063f22b5a99f3f031018561e1e4b6225dcc82e6e3e7e7e005c7f0e613c55df025ae2c9c661df5dec8e06b00ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uficrtsn.dll

Filesize
76KB

MD5
06bd2d4f5056f628e779b0c1400d6bd5

SHA1
932176e9cc2d8b14c9c99ba74dd2b9e70dcb611d

SHA256
7acdd3807ee8a22740c0e1c031d27c7321a3755cfa9c9356d708b5b0f3b95472

SHA512
d6dc863833fcb38483f2a5c59a5f70e72f877ce593f8d13846581e285465dd9bc2f257bbc1b8e86cfd332b46db525ec803a763bb9cdddefe7cebd2b6ba7bb9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{065e472e-eaef-4c97-abc7-b843a491a95d}.bat

Filesize
197B

MD5
35c691301c59f84adad0ba01f539e96f

SHA1
15692336d1bb57f79f00bb59cec21ca0fdc56219

SHA256
13cab34c9d4bb1d927bae160960439d4431d2ce1299183a1d87f09c18b6c0611

SHA512
91c7d10d98c3e01b5714165b19a92d4b9991cdd990b3a31617dfbb5302328da0725b9adc65b78dca91bbb781e121fdb0801b68c315c05982e00748da0a574ff9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEA50.tmp

Filesize
676B

MD5
e52e209ccb12480ea7019692cd17eeea

SHA1
3ae902b4a3be96fecb629e69303d107db8f9fce4

SHA256
494034e7f9115c309bb8b3f0ab9b8d209a37e8ce2c81a299fa0c44e5db073511

SHA512
43e97296232f87a4d0be99215c3d50fa7591bd8cc4de0127386c58bad7fbaae9f87c3e726c12f367391efce8b30728e97c245c87c43cbfc6f177eceda909e640

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uficrtsn.0.cs

Filesize
208KB

MD5
d055e05fe3af44d565665d90fe960340

SHA1
2e9f3ed3d8807149ecf82777b14fe006d230a3d0

SHA256
54b377a0ee0f197064717837cea992da0049ae3df32ec8f962564e1166a770dc

SHA512
274178ce7e98669f034731c8f855924ad2656d1a08a346b4a305932eb64bf9372a628b7493d69ad48ea25a02db5197d6f2cdac8dc399089b714be1843c9c8348

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uficrtsn.cmdline

Filesize
349B

MD5
d750e5a39402a482cf69a5d704adea9a

SHA1
d33566a4af6e4bf128e557929bddaf3f525de5c3

SHA256
19a11db287529daa7a55acdad0a4b075620db07a90aa5a491efb5b5dee0ede70

SHA512
87ad0ca09ffeb8998dc7178a9191ba4df4ddc24f43305f06ded4b5f342373e03efee9ca1a3f93ce9486ba6f96dd17c232ef1d49023cf52d86148978ec049bd63

Download Submit
memory/2316-45-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-37-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-7-0x000000001BA30000-0x000000001BEFE000-memory.dmp

Filesize
4.8MB

Download
memory/2316-6-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-5-0x000000001B420000-0x000000001B42E000-memory.dmp

Filesize
56KB

Download
memory/2316-1-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-73-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-2-0x000000001B380000-0x000000001B3DC000-memory.dmp

Filesize
368KB

Download
memory/2316-23-0x000000001C470000-0x000000001C486000-memory.dmp

Filesize
88KB

Download
memory/2316-25-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2316-26-0x000000001C680000-0x000000001C698000-memory.dmp

Filesize
96KB

Download
memory/2316-27-0x000000001C490000-0x000000001C4A0000-memory.dmp

Filesize
64KB

Download
memory/2316-28-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2316-31-0x000000001D400000-0x000000001D462000-memory.dmp

Filesize
392KB

Download
memory/2316-32-0x000000001E0C0000-0x000000001E67A000-memory.dmp

Filesize
5.7MB

Download
memory/2316-33-0x000000001E680000-0x000000001E770000-memory.dmp

Filesize
960KB

Download
memory/2316-34-0x000000001D4D0000-0x000000001D4EE000-memory.dmp

Filesize
120KB

Download
memory/2316-35-0x000000001D500000-0x000000001D549000-memory.dmp

Filesize
292KB

Download
memory/2316-36-0x000000001E7E0000-0x000000001E850000-memory.dmp

Filesize
448KB

Download
memory/2316-8-0x000000001BFA0000-0x000000001C03C000-memory.dmp

Filesize
624KB

Download
memory/2316-38-0x000000001EAD0000-0x000000001EC0C000-memory.dmp

Filesize
1.2MB

Download
memory/2316-39-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-40-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-41-0x00007FF8F64E5000-0x00007FF8F64E6000-memory.dmp

Filesize
4KB

Download
memory/2316-42-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-43-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-44-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-0-0x00007FF8F64E5000-0x00007FF8F64E6000-memory.dmp

Filesize
4KB

Download
memory/2316-49-0x000000001F010000-0x000000001F162000-memory.dmp

Filesize
1.3MB

Download
memory/2316-53-0x000000001D0D0000-0x000000001D11A000-memory.dmp

Filesize
296KB

Download
memory/2316-54-0x000000001D680000-0x000000001D6E6000-memory.dmp

Filesize
408KB

Download
memory/2316-55-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2316-57-0x000000001F160000-0x000000001F1E6000-memory.dmp

Filesize
536KB

Download
memory/2316-65-0x000000001F5A0000-0x000000001F6D6000-memory.dmp

Filesize
1.2MB

Download
memory/2316-66-0x0000000000A50000-0x0000000000A9E000-memory.dmp

Filesize
312KB

Download
memory/2316-67-0x0000000000AB0000-0x0000000000AC9000-memory.dmp

Filesize
100KB

Download
memory/2628-21-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download
memory/2628-19-0x00007FF8F6230000-0x00007FF8F6BD0000-memory.dmp

Filesize
9.6MB

Download