Analysis
-
max time kernel
134s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
robolab 254download.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
robolab 254download.exe
Resource
win10v2004-20220812-en
General
-
Target
robolab 254download.exe
-
Size
508KB
-
MD5
b248db34834905d6746d68f8bb089652
-
SHA1
0a57b032cd1db4b5402e0e86cf137517e1a55bd0
-
SHA256
7651724fa0ea3b15512b456411ce01bf6adfdc1bff62210b8ca61be6a16c0775
-
SHA512
54ca3c6f76fc5db37374b7038f29dd45a6c74c5f79bbcd7e3e8d2187d36f6bcf18a3f15a7b9a198fc696ea90a283ebff0b4deb609e6566a6448f72d086a8227c
-
SSDEEP
12288:VEGXEze2ysmqRqFUvK2ySI8d+jb1pg85GG+3L2FqBz/:VSysL5Tyw4jbM+GP36Fqt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3640 robolab 254download.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation robolab 254download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4920 wrote to memory of 3640 4920 robolab 254download.exe 83 PID 4920 wrote to memory of 3640 4920 robolab 254download.exe 83 PID 4920 wrote to memory of 3640 4920 robolab 254download.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\robolab 254download.exe"C:\Users\Admin\AppData\Local\Temp\robolab 254download.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Installer\robolab 254download.exe"C:\Users\Admin\AppData\Local\Installer\robolab 254download.exe" admin2⤵
- Executes dropped EXE
PID:3640
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD5b248db34834905d6746d68f8bb089652
SHA10a57b032cd1db4b5402e0e86cf137517e1a55bd0
SHA2567651724fa0ea3b15512b456411ce01bf6adfdc1bff62210b8ca61be6a16c0775
SHA51254ca3c6f76fc5db37374b7038f29dd45a6c74c5f79bbcd7e3e8d2187d36f6bcf18a3f15a7b9a198fc696ea90a283ebff0b4deb609e6566a6448f72d086a8227c
-
Filesize
508KB
MD5b248db34834905d6746d68f8bb089652
SHA10a57b032cd1db4b5402e0e86cf137517e1a55bd0
SHA2567651724fa0ea3b15512b456411ce01bf6adfdc1bff62210b8ca61be6a16c0775
SHA51254ca3c6f76fc5db37374b7038f29dd45a6c74c5f79bbcd7e3e8d2187d36f6bcf18a3f15a7b9a198fc696ea90a283ebff0b4deb609e6566a6448f72d086a8227c