Analysis
-
max time kernel
91s -
max time network
134s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-04-2024 18:31
Behavioral task
behavioral1
Sample
Ballad Setup Installer.exe
Resource
win11-20240412-en
Behavioral task
behavioral2
Sample
Roblox beamer code.pyc
Resource
win11-20240412-en
General
-
Target
Roblox beamer code.pyc
-
Size
3KB
-
MD5
58785de7588a0cc4a4a5e2000f3d7bb3
-
SHA1
df4be0c10365dd834c3e79e35c5b541f8e8af17a
-
SHA256
344c9971d0acd17ea190428a7f9087c6bc65b346f86fa8faa1191b97ff30edb3
-
SHA512
c18f43a2783cc049554c23857b52a9ac519c78284f938e1782fcccea88f83e202d6457484047743759863b52c20e40cd8c06d849a64c62b6df466fbe6ebe3091
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Winword.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Winword.exepid process 1176 Winword.exe 1176 Winword.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
OpenWith.exeWinword.exepid process 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 3168 OpenWith.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe 1176 Winword.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 3168 wrote to memory of 1176 3168 OpenWith.exe Winword.exe PID 3168 wrote to memory of 1176 3168 OpenWith.exe Winword.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Roblox beamer code.pyc"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Roblox beamer code.pyc"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-0-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-2-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-1-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-5-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-4-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-6-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-8-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-7-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-3-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-9-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-10-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-12-0x00007FFC89680000-0x00007FFC89690000-memory.dmpFilesize
64KB
-
memory/1176-11-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-13-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-14-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-16-0x00007FFC89680000-0x00007FFC89690000-memory.dmpFilesize
64KB
-
memory/1176-15-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-17-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-18-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-19-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-21-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-20-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-23-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-24-0x00007FFCC9DA0000-0x00007FFCC9E5D000-memory.dmpFilesize
756KB
-
memory/1176-50-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-51-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-52-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-53-0x00007FFC8BAD0000-0x00007FFC8BAE0000-memory.dmpFilesize
64KB
-
memory/1176-54-0x00007FFCCBA40000-0x00007FFCCBC49000-memory.dmpFilesize
2.0MB
-
memory/1176-55-0x00007FFCC9DA0000-0x00007FFCC9E5D000-memory.dmpFilesize
756KB