Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2023 09:00

General

  • Target

    Roblox-UWP-Executor-main/Execution.dll

  • Size

    208KB

  • MD5

    fb437fa76df479d1c7f32326494d3922

  • SHA1

    f6ead50a07b938b326fab77f053658b00c1bf789

  • SHA256

    df655e9b4aad5c8c90828755126d8211d6ddd18aa9a38590ffbda6f6969df590

  • SHA512

    9925f8c5634721171158a28b14c59ba8421c85f1b31a6d0d393dc9e9e5195052fb619adfcdc2d77fc6bf78eb550674097d2cee67bcc7ec26313f5e94e784fd57

  • SSDEEP

    6144:AlniJt1wpYpuXYrlXbp2m/8nTyOcTQftV+k:u4EorlXb78nfcTQ1x

Score
1/10

Malware Config

Signatures

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Roblox-UWP-Executor-main\Execution.dll,#1
      2⤵
        PID:4788
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HideSkip.bat
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4412
    • C:\Windows\system32\werfault.exe
      werfault.exe /h /shared Global\8d3d608728ad45299ece0ebaba5e01fe /t 4628 /p 4412
      1⤵
        PID:3196
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
          PID:1780

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/4788-0-0x0000000074ED0000-0x0000000074F19000-memory.dmp

          Filesize

          292KB