638dbb8569aa085f31fd8b787fd9b54733d6447afa76d9c068a1cb9194f932b5

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bhaggos.Roblox.Optimizer.exe
Size

100KB
MD5

d14eaee759dab5582b3272d623fdd069
SHA1

6583f518cee8d8f3bf7b6d457a2e06db8e5a2919
SHA256

638dbb8569aa085f31fd8b787fd9b54733d6447afa76d9c068a1cb9194f932b5
SHA512

f4f3f0c91ffa58040083bc5ea5c99a8ad8689f0b82bbb637774d02b76af5c0b4ae92c92be9ea28df7fdbee9e13c946ecfa6f4e79843f9d536d3ad781b4faa33c
SSDEEP

1536:q2poznR4j6ej3Zi2iLOZoMmX1OdM3SFs5gm+lz9:qMobR7ezAjLOZvmX19SS5Clz9

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Bhaggos.Roblox.Optimizer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2828	2284	Bhaggos.Roblox.Optimizer.exe	85
PID 2284 wrote to memory of 2828	2284	Bhaggos.Roblox.Optimizer.exe	85
PID 2828 wrote to memory of 1084	2828	cmd.exe	87
PID 2828 wrote to memory of 1084	2828	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\Bhaggos.Roblox.Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Bhaggos.Roblox.Optimizer.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "Bhaggos Roblox Optimizer.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\mode.com
    mode 117
    3⤵
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bhaggos Roblox Optimizer.bat

Filesize
356KB

MD5
eba7e5cf3db9b25bc6d53602b413be02

SHA1
ce34d7226e8fc24661c802c6c15fcdfc850a8bc0

SHA256
9d06a6cd497ac076f1c5d8b15e7779920cfb3552961e60c1e9c4108d0feaab02

SHA512
e689a23c2ca8417b0cdb0ca23e10933302928aed6704fa977e47ddeea8f56333ba4c6d12de51c4871caafb2afa3455b1e6e0329cb84f2f3bc6a683d70918dd1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads