Resubmissions
20-06-2024 17:40
240620-v8797azbkf 7Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 17:40
Behavioral task
behavioral1
Sample
RobuxGen.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
RobuxGen.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
R.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
R.pyc
Resource
win10v2004-20240508-en
General
-
Target
R.pyc
-
Size
31KB
-
MD5
d86977a2192ece36dd67fb0cda948723
-
SHA1
5b2a8a046c0650148e079ea728ff16cc2c9d68e8
-
SHA256
c67f9a5d106e19910df975e3aa55a486e3a98beda6e12ddbeef0ace01136ddcc
-
SHA512
d27907734b9e43a7a30775fd156a4fead59917e8643388b8839eef45ade16c9071822eb63f81f0a572499c796c76e5c23e37001db5b876265646193be7712e95
-
SSDEEP
768:hDjRWQiKBzfTdJJ8Ba19WnNPVqd0uEWl6xWe6SE:9DLTdJyguVRuS2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2680 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2680 AcroRd32.exe 2680 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 1284 wrote to memory of 2632 1284 cmd.exe 29 PID 1284 wrote to memory of 2632 1284 cmd.exe 29 PID 1284 wrote to memory of 2632 1284 cmd.exe 29 PID 2632 wrote to memory of 2680 2632 rundll32.exe 30 PID 2632 wrote to memory of 2680 2632 rundll32.exe 30 PID 2632 wrote to memory of 2680 2632 rundll32.exe 30 PID 2632 wrote to memory of 2680 2632 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\R.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\R.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\R.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a5980a907d6ed55d5d1f76a40ac67b35
SHA170e9cd78268d5bbbd4e8c032774589bbb01875bc
SHA256b8e025740e3cf9f3f7d305cc7b41bbd00384eae4aba96c79e199a892810df6bf
SHA5124cd3ee90856d70678819b15a0baac82b950a274ea791507a43c8336b58857bcf5c8d724c8130a8dd8728eba82f17be40db1db1df9bc8ce638750fb159ed0932a