9dccabead5285e6fd0810c38ffacd38bcc449763798d696ef98e6deb819c743e

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roblox-mobile-1.0_archive.torrent
Size

3KB
MD5

773ad60f4bf03b82cf5471f7588428f7
SHA1

fb9cd3fb48e8778bd5a4ae94573631b4a79def67
SHA256

9dccabead5285e6fd0810c38ffacd38bcc449763798d696ef98e6deb819c743e
SHA512

12796e42073a42af9428c62170897306fad31181252f510ae57057ae398637bef315942d97a382e456e08eb655e8dbc46af66fb8bcb918f7733417b37348616d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.torrent	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\shell\Open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\shell\Open\command\ = "\"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe\" --started-from-file \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\shell\Open\ = "Play with VLC media player"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\torrent_auto_file\shell\Open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.torrent\ = "torrent_auto_file"	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2948	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1728	rundll32.exe
2948	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe
2948	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2948	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1728	2920	cmd.exe	29
PID 2920 wrote to memory of 1728	2920	cmd.exe	29
PID 2920 wrote to memory of 1728	2920	cmd.exe	29
PID 1728 wrote to memory of 2948	1728	rundll32.exe	32
PID 1728 wrote to memory of 2948	1728	rundll32.exe	32
PID 1728 wrote to memory of 2948	1728	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\roblox-mobile-1.0_archive.torrent
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\roblox-mobile-1.0_archive.torrent
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\roblox-mobile-1.0_archive.torrent"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2948

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
105B

MD5
1302c2a94d33c554e022868782894ea8

SHA1
c1c9b4b9649bee66b4ea65ad2de712b204350c54

SHA256
7bbe21d26a61c629d9467143dfecc8b65962d904db6c2ee01794559e69c47c39

SHA512
da298ed3600b8236d43af7979d7392058f2a4a5a7fb77887cd315ea8ee210c4232f4373ef75df743d2b348c2ffc1d16e4cd6c62d5e50d6e4f513383d42d1c060

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
d0cf52efd7ba7ccb249494299a80e291

SHA1
e0f729d455593d110debdfb66370fa50f2c324fe

SHA256
df56063bc68f0243cbf835f9b8c2ed7ff1d11807d87cd8a15e3410cbe883a33e

SHA512
3974b2e174ff7cf1736983f8d55fc82f967ca62ee42a88c1a0ddb08d4f6f67c8ff7003db5287eace82c0ccd61bf502ab3ff506361a4107c49ef8ac7de5dc2e33

Download Submit
memory/2948-79-0x000007FEF6790000-0x000007FEF67C4000-memory.dmp

Filesize
208KB

Download
memory/2948-78-0x000000013F9E0000-0x000000013FAD8000-memory.dmp

Filesize
992KB

Download
memory/2948-80-0x000007FEF5920000-0x000007FEF5BD4000-memory.dmp

Filesize
2.7MB

Download
memory/2948-81-0x000007FEF4540000-0x000007FEF55EB000-memory.dmp

Filesize
16.7MB

Download