Overview

overview

4

Static

static

1

URLScan

urlscan

1

https://roexec.lol/

windows10-1703-x64

4

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-04-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://roexec.lol/

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://roexec.lol/"
    1⤵
      PID:4164
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2168
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      PID:4688
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4472
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4120
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Loader.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:4436
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:348
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Loader.bat"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:VbLHakvKOm; "
          2⤵
            PID:3756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:360
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3492
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SDRSVC
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Loader.bat"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3200
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:VbLHakvKOm; "
            2⤵
              PID:2588
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4960
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Loader.bat"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:656
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:VbLHakvKOm; "
              2⤵
                PID:3648
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2360

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            3
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
              Filesize

              4KB

              MD5

              1bfe591a4fe3d91b03cdf26eaacd8f89

              SHA1

              719c37c320f518ac168c86723724891950911cea

              SHA256

              9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

              SHA512

              02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              b35c81b90185530c116e245b74fa2a7b

              SHA1

              9ec3db80d69bc51a822eeb1ebc8df8eab4fd7b6a

              SHA256

              d4bbe07ea9e4148a6cbc18a722daa292595d0244b409a6d1900405b822daa4f2

              SHA512

              f99b7a101e2954e5b303823b4ecacd01a392c9121d6564585d18876de8bf8897e50f223a2b661b16d45df15d2cdf1b2aa35e1dc6148e54d9fc9e6d7602ca9e7e

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZDIGHWMN\edgecompatviewlist[1].xml
              Filesize

              74KB

              MD5

              d4fc49dc14f63895d997fa4940f24378

              SHA1

              3efb1437a7c5e46034147cbbc8db017c69d02c31

              SHA256

              853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

              SHA512

              cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              2KB

              MD5

              7b0cd7d30694f60c01aebc428ff43226

              SHA1

              fecdc3f83f729cd8b6053c506aa27d92db1f21da

              SHA256

              262aa0bb8ef97414457f0d164d0614a8edec814a370496d8d2994997b887f588

              SHA512

              a0afd3b2965d217932dd5974269c1c7b2eafd15fee20c3e98ee15ab90ecd128107f43b64c042fcc5541f207f9eb859bbf16b18bb61bae4d96ef223b96a2bf865

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              2KB

              MD5

              def2f140bf5d2a15ce19046bf195ffa8

              SHA1

              595c463e9686926991834c11913b1d8fd0366a97

              SHA256

              dc0ae4b2d3026ed953184ab9cfa86823c22b98853a60886ae3308939c2e294b2

              SHA512

              4cdbeb3959dd305e4ab91d7ac899ade87874a9ca24271e7aeefc7bd82eea3c4a5a1ad29d217b0294902a0f34ffb2ef47db2f6594c729fa5544c61745e5a0f2c6

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VQDZGNRD\suggestions[1].en-US
              Filesize

              17KB

              MD5

              5a34cb996293fde2cb7a4ac89587393a

              SHA1

              3c96c993500690d1a77873cd62bc639b3a10653f

              SHA256

              c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

              SHA512

              e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Loader.zip.2zbj3pi.partial
              Filesize

              10.7MB

              MD5

              9707cda1159f673820ca1f4418c30b7f

              SHA1

              f422d9bc5b0e87dd71ace4dce22a2f60fabe8db9

              SHA256

              63ad1c61c2a15acb8bcfbb41e787cc5b82b925bb8acc6ebf8e5aa08ce056cafa

              SHA512

              7afe416209d8c965ef767dd8239ebf1ed4d1dc00b84d4eba08c5cb04ba4ba511f8666ff683d1a824ee15b3b6cb4f1a4bdbe27353950bfaa3249e7d7d42fe4b44

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\01Y5O1AP\Loader[1].zip
              Filesize

              15KB

              MD5

              4cc3ace51a0a2098f30d6318de38383b

              SHA1

              f7d9afe8cf1e4794f3de7df9c7c293b6de02cec9

              SHA256

              b611ca337046103c24c096bd8474cd271144a6a16354d778ee2867e16aec7cda

              SHA512

              dee00bfd45337d32350409c2c1d5e766f8e8ccde5449e1db4e5bd4bbcba6e816920c6e22e372caa431c94bc72ddf3d99d4b830e8a1dbf035029077b51cdefe3a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eq3z4jvp.cni.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit
            • memory/360-302-0x00007FF7F1AC0000-0x00007FF7F1B30000-memory.dmp
              Filesize

              448KB

              Download
            • memory/360-276-0x00007FFF69C40000-0x00007FFF69CEE000-memory.dmp
              Filesize

              696KB

              Download
            • memory/360-272-0x000001ABF15D0000-0x000001ABF20BC000-memory.dmp
              Filesize

              10.9MB

              Download
            • memory/360-270-0x000001ABF0B20000-0x000001ABF15CC000-memory.dmp
              Filesize

              10.7MB

              Download
            • memory/360-230-0x000001ABB83B0000-0x000001ABB8426000-memory.dmp
              Filesize

              472KB

              Download
            • memory/360-219-0x000001ABB7F60000-0x000001ABB7F9C000-memory.dmp
              Filesize

              240KB

              Download
            • memory/360-192-0x000001ABB7DB0000-0x000001ABB7DD2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/360-275-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/1332-92-0x0000025159260000-0x0000025159262000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-88-0x0000025159220000-0x0000025159222000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-94-0x0000025159280000-0x0000025159282000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-86-0x00000251590C0000-0x00000251590C2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-90-0x0000025159240000-0x0000025159242000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-78-0x0000025158EB0000-0x0000025158EB2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-76-0x0000025158E90000-0x0000025158E93000-memory.dmp
              Filesize

              12KB

              Download
            • memory/1332-80-0x0000025158ED0000-0x0000025158ED2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-58-0x0000025148510000-0x0000025148610000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1332-82-0x0000025158EF0000-0x0000025158EF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1332-84-0x00000251590B0000-0x00000251590B2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2004-44-0x0000021BFC000000-0x0000021BFC100000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/2168-144-0x000001C4C5D80000-0x000001C4C5D81000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2168-16-0x000001C4BF620000-0x000001C4BF630000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2168-143-0x000001C4C5D50000-0x000001C4C5D51000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2168-35-0x000001C4BCBF0000-0x000001C4BCBF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2168-0-0x000001C4BF520000-0x000001C4BF530000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2360-440-0x00007FFF69C40000-0x00007FFF69CEE000-memory.dmp
              Filesize

              696KB

              Download
            • memory/2360-439-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/2360-466-0x00007FF7F1AC0000-0x00007FF7F1B30000-memory.dmp
              Filesize

              448KB

              Download
            • memory/4960-359-0x00007FFF69C40000-0x00007FFF69CEE000-memory.dmp
              Filesize

              696KB

              Download
            • memory/4960-358-0x00007FFF6B550000-0x00007FFF6B72B000-memory.dmp
              Filesize

              1.9MB

              Download
            • memory/4960-392-0x00007FF7F1AC0000-0x00007FF7F1B30000-memory.dmp
              Filesize

              448KB

              Download