d801058b8bdb1a799c725c7004852f62110335e3d48e6e6731f1a8e5b3a30f5a

Resubmissions

04/04/2024, 23:11

240404-26nakada71 10

04/04/2024, 23:10

240404-25rxcsda5z 10

Analysis

max time kernel
138s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 23:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ROBLOX MOD.zip
Size

2.7MB
MD5

b7b55881e07b35e7d0db149fa4824c02
SHA1

fff61668cbe80d180d49b05858d65b07d5579428
SHA256

d801058b8bdb1a799c725c7004852f62110335e3d48e6e6731f1a8e5b3a30f5a
SHA512

18566cd88110e234dcc9473394f7d2c16a09afd1373053fea821b2dd8293bda115416d695f46ba3b4b140bb426c53d6a5e05c54928abe9928947350fbbbfd117
SSDEEP

49152:3bT4cpgiAu1Ub5sGOnS1ArG0wU9zv9mdSlpLGiiKeymqwKw1r:3bii96knN9mdApLGi1XmZr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1164	Advertising.pif

Loads dropped DLL 1 IoCs

pid	Process
2592	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1232	tasklist.exe
1656	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1176	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1164	Advertising.pif
1164	Advertising.pif
1164	Advertising.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2492	AUDIODG.EXE
Token: 33	2492	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2492	AUDIODG.EXE
Token: SeDebugPrivilege	1232	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1164	Advertising.pif
1164	Advertising.pif
1164	Advertising.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1164	Advertising.pif
1164	Advertising.pif
1164	Advertising.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2592	2792	ROBLOX MOD.exe	35
PID 2792 wrote to memory of 2592	2792	ROBLOX MOD.exe	35
PID 2792 wrote to memory of 2592	2792	ROBLOX MOD.exe	35
PID 2792 wrote to memory of 2592	2792	ROBLOX MOD.exe	35
PID 2592 wrote to memory of 1232	2592	cmd.exe	37
PID 2592 wrote to memory of 1232	2592	cmd.exe	37
PID 2592 wrote to memory of 1232	2592	cmd.exe	37
PID 2592 wrote to memory of 1232	2592	cmd.exe	37
PID 2592 wrote to memory of 1212	2592	cmd.exe	38
PID 2592 wrote to memory of 1212	2592	cmd.exe	38
PID 2592 wrote to memory of 1212	2592	cmd.exe	38
PID 2592 wrote to memory of 1212	2592	cmd.exe	38
PID 2592 wrote to memory of 1656	2592	cmd.exe	40
PID 2592 wrote to memory of 1656	2592	cmd.exe	40
PID 2592 wrote to memory of 1656	2592	cmd.exe	40
PID 2592 wrote to memory of 1656	2592	cmd.exe	40
PID 2592 wrote to memory of 1112	2592	cmd.exe	41
PID 2592 wrote to memory of 1112	2592	cmd.exe	41
PID 2592 wrote to memory of 1112	2592	cmd.exe	41
PID 2592 wrote to memory of 1112	2592	cmd.exe	41
PID 2592 wrote to memory of 1636	2592	cmd.exe	42
PID 2592 wrote to memory of 1636	2592	cmd.exe	42
PID 2592 wrote to memory of 1636	2592	cmd.exe	42
PID 2592 wrote to memory of 1636	2592	cmd.exe	42
PID 2592 wrote to memory of 1300	2592	cmd.exe	43
PID 2592 wrote to memory of 1300	2592	cmd.exe	43
PID 2592 wrote to memory of 1300	2592	cmd.exe	43
PID 2592 wrote to memory of 1300	2592	cmd.exe	43
PID 2592 wrote to memory of 2756	2592	cmd.exe	44
PID 2592 wrote to memory of 2756	2592	cmd.exe	44
PID 2592 wrote to memory of 2756	2592	cmd.exe	44
PID 2592 wrote to memory of 2756	2592	cmd.exe	44
PID 2592 wrote to memory of 1164	2592	cmd.exe	45
PID 2592 wrote to memory of 1164	2592	cmd.exe	45
PID 2592 wrote to memory of 1164	2592	cmd.exe	45
PID 2592 wrote to memory of 1164	2592	cmd.exe	45
PID 2592 wrote to memory of 1176	2592	cmd.exe	46
PID 2592 wrote to memory of 1176	2592	cmd.exe	46
PID 2592 wrote to memory of 1176	2592	cmd.exe	46
PID 2592 wrote to memory of 1176	2592	cmd.exe	46

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\ROBLOX MOD.zip"
1⤵
PID:2012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\Documents\ROBLOX MOD\ROBLOX MOD.exe
"C:\Users\Admin\Documents\ROBLOX MOD\ROBLOX MOD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Shopping Shopping.bat & Shopping.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 866
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Idaho + Draft + Robots + Strip + Discussions 866\Advertising.pif
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Slideshow + Th + Richards + Evening + Td + Formal + Rule + Integral + Gender 866\w
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\866\Advertising.pif
    866\Advertising.pif 866\w
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1164
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\866\w

Filesize
2.0MB

MD5
b7c9d0cd6fc5b3107da960b1350831d2

SHA1
8a58955e1e490c715ea200b0b26bb779d062dd80

SHA256
fc24bbbbc24918bf5c348c9ce62c828572986d3824b199c16dc51527acb36b0f

SHA512
b2b58eeedec8e9a56e9925178f2dd5c36adf4d71520f755c0f17b69c7f07c274173e0c886df745b7d3bf4c8942aa0c184a7e98efe69d2c49859b04f9fba65e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Discussions

Filesize
172KB

MD5
9ab2f5c24bf062baf5b8bb9bcd1588eb

SHA1
000da446d79c7f83ac5d3533d94319cf80f1b6b4

SHA256
e7dcf3a1e34ca93158df259448ba9da77a5b488a59413b1f74e678b2f608443a

SHA512
6520e8628f72c957226c08c2ac87c1ac8ccc047dbd876df4924ebcb4f8a2bca1f7d73300f20d84951cb72db611121436db24f95e685735a107cc57181d09a11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Draft

Filesize
67KB

MD5
e90fd35919c3487d3c0d1fa107630218

SHA1
ee802f1a1dcf8cf8a21de0dbdef5c769ffaa49b2

SHA256
79e65a6ce805715b2ce83c4655a91483962e62b10f7fdf2e7d4d755997230e9a

SHA512
4061bc24c77bc4edb0cda744566ee68d3d1ef6df082361d51d5af35884631734eed91a8d52fd851240a31cc4354aaabd3ffd85c67d5c4d9bbb598b1b5e05e1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evening

Filesize
247KB

MD5
b96db37af66c03980d1b97815f72e57d

SHA1
4ee40e31415023ca7fc7c060afd1135ed0789045

SHA256
ee5a9400c0c0f2c717442cb8d0fd0130c65c6e139bc2902598a5f02cb6619dd1

SHA512
3428807ad06f2851af6ffec966260823ef2c035dc7a73bc25e83d6d1eb482410da84bf5b57f9b8af7e15584a3701f22338ef0d51d0dffae4ca35ccbf2a140cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Formal

Filesize
211KB

MD5
a6ebcaec689a4165b3cf5a80a3ae12af

SHA1
cf4bc129acb2fadeb724ba3a7df79f553d16e881

SHA256
d13de66f189724ab2f3c4a14e9429f0c88fa060c0aa290db0056bbc251137dff

SHA512
d361303bfee56108cf5c70ab059fe39f204b0276d1ccab4f207e3394cff6510811f793a9f234a6cd73c1a55c9b5834368bb6e5c224b359c82145a12612299608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gender

Filesize
210KB

MD5
9e36b1775217713cd115d4d1ae5fb06b

SHA1
a6acd57a0e38310701907e574dbd3e67aae0345f

SHA256
dc12c4dba2988c356492da978b1324ad4dfd7c21a108443d42a5212008285261

SHA512
45065e59845c74b75d879dc1a33629d2aa94b1f591f67e1f9fd8dd4c13cc2244a61e8701e531f2da9db0e59b256e743b773819a733375240da067f0202ebccd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Idaho

Filesize
268KB

MD5
3a2daa6adbdb1958f376f9a21eaa6d29

SHA1
f5abc22926014bfabfec9c52527cba770d1f1f89

SHA256
174d8400295a92dc0447f74b8b30455913f91cfaff9ccf0950815c2fafccaa06

SHA512
23416a63ce6103aa04d86143cea4a9fdaee3de4c0b378a201c5e74550eb48f5f90a799aa990722c20328e8de82a86c06645c274b05d97a8d253cc5e31a26bceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Integral

Filesize
232KB

MD5
a4f645bf37739931a3615fdec6c95be0

SHA1
ddbe93815bb7406ffee9d2e9c2411949bd70369f

SHA256
2448a3b2704be4c2fefba8c753e7200fcdf7a30a9b0f8aca3ebaae3b05d4d28c

SHA512
6cc22abc38a3b27dc829ab043f488af2d74ce33aaa6a7817c4d4cd93e12cbe6e1f9994f21236def1701f3285d784ed7f12b1a489169f3564042971be40de88fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Richards

Filesize
248KB

MD5
eb59efc963fcbea8322db8a916a6f169

SHA1
47ae459f4db214d53864b22dbf59e824b4e2b45d

SHA256
0f1afa5920b41c3aaf7e44072da098c2193ce72915c4eac303313ae042b1359b

SHA512
9f979913d9052efc046afd22a5940bd1bfa5d432b4ce6ad30cc3921262be6b5993c74ffe881593d80c91ecbb350a1853abf6d25d6f8bba1f17f22032df4ae228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Robots

Filesize
186KB

MD5
24e38f21ace327d0c623410e8746f2fe

SHA1
cec6461271afa2fd29d482fb2199efb7d76db135

SHA256
7a80ebd87c7155f6829f63d6fa811e106ff6e829d916670e7576205b9a2e5900

SHA512
2e6a266126b1788b0421ad6f6bcb320a455aee6e40a5708a9e6cc93187b6c03e1c2a9447d77e8cfacc16d4efb4659e437761c8d4d489d89e84ce407a95e9644f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rule

Filesize
266KB

MD5
a87ae7bbf96138fee463aba2b24ae919

SHA1
f2fb6e1a898f7caf4ec867faac7d5a9b5788a190

SHA256
b8de3d9cadec6ee818dfee7250eb9cbac19fc1a4218a1b99407725e43307fe0d

SHA512
ee04142c42f9d972bf4f8b476f81faa3052dacbdffb23fc4085b86fb88e58b14e4c72b5ea919af2adbccc728270eaf089a6f68755e0ab55150650555b73be4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Shopping

Filesize
26KB

MD5
66b4c41f4005858d8145857139eff817

SHA1
587ef26cb72c82ec072859d90150b5d0e18cb6a1

SHA256
bd99380f66c0c3e9efb4e35d60705b01392f7cbbd696d2283531701d5feb092a

SHA512
8f08cb645495d7349a98df6943702239b183ab71ba03f54f7658404faae9f05ae18aa0a3a6180c9ef4f66f9bf5638a6b313145a58e754be327b5b7ad1124a3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Slideshow

Filesize
215KB

MD5
894dbcc42ca4813d191733a805c3acc2

SHA1
cb784b2d38e9b58e654b466222059de0228b94c9

SHA256
1ccbea782f124f7a0c8c0696cb7997fa51bbd947a0e8ebe20e414c43b0536d44

SHA512
8bb431914aaa8e964fced8e1f789acc99dd9e08c9aa6a97e79dcdf151ea42a7cc41ccfb7fb7c5cbc87aa3ecea17880fead83a7d017038fac76989dfdaaaae22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Strip

Filesize
228KB

MD5
3afe38412f1807a8166c993795326419

SHA1
bdea157154e252469f0fdb78a0d98a7b898f3dc3

SHA256
85d31ca2fe3aa6c2ab92693f84a2914bd78589666c8ac47261c0a9b34a01fbe8

SHA512
5bea371347771c8d362dfc2dba94db70048e465933f97e90e041dd599e00d6f670343a48fce5ecb69d65880f8cdd585ff2dd44509f6994f2392dc5dbcad8f175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Td

Filesize
218KB

MD5
95eb83acbd873a51869dd2f87a3d9f5d

SHA1
f34600ed08d217f39012d72432ce4eecfd9ef58b

SHA256
3f28c79f005d2f3730ae00b822a79fd47e3f58249b79f8b56cb5d24a2ae11800

SHA512
a37ef2cd29dbfed4a602d7a53b71e6c389bd886153ed2bed66965701e87c97d3f97f5981e282d3799e9b3492f39b4373e2ef644021b787cc26fb9d629e240299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Th

Filesize
209KB

MD5
e07d160d7a10ee57b795e7dc85fcb7cb

SHA1
cff6861a1caa7410cbefbe6903e0900de338e749

SHA256
c82cab2bf31a26f8409e885bdfedb9e04fd8c86a7fd04f8fb1d5e9300891c58e

SHA512
55505fd2d41813f16ea740143fb8c0558d00d5f80c206cfbbeba49590ddd4d7fa4c9b3147d2dcd507a80f6cb671ad89bcd2506d0512c4397b2f9ec386fc997ac

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\866\Advertising.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1164-36-0x0000000077C60000-0x0000000077D36000-memory.dmp

Filesize
856KB

Download