Analysis
-
max time kernel
60s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 18:27
Behavioral task
behavioral1
Sample
RobloxPlayerBeta.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
RobloxPlayerBeta.pyc
Resource
win10v2004-20240419-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
RobloxPlayerBeta.pyc
-
Size
45KB
-
MD5
04874703899f3795772623d4baa7f20e
-
SHA1
60db20b2b60c9d411499133abfd6f098c3d331b4
-
SHA256
8bea6a4afec6a7dc90e24e9f20f353cdbfa44de31455265efc6a53dcc630bc4b
-
SHA512
295ffd69b943817e97533294fb6ba2ed4292fdfb0edf7653c56ac4281bc87e580a3a7ad686e75648bfa10a3d82bf84fb863542773c7d6e01182ac126bd0c1f80
-
SSDEEP
768:n9JWOwURKWmGZvo8DYPzQ0o9pTxyfPDRZe70Dc+35Ovw8fShrxeW3gMJbDlhLx3u:n9JW01mcvaP80idxyfFMSc+35Ovw8fSu
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3980 NOTEPAD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exepid process 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe 4156 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 4156 wrote to memory of 3980 4156 OpenWith.exe NOTEPAD.EXE PID 4156 wrote to memory of 3980 4156 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RobloxPlayerBeta.pyc1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerBeta.pyc2⤵
- Opens file in notepad (likely ransom note)