Resubmissions
20-06-2024 17:40
240620-v8797azbkf 7Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 17:40
Behavioral task
behavioral1
Sample
RobuxGen.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
RobuxGen.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
R.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
R.pyc
Resource
win10v2004-20240508-en
General
-
Target
R.pyc
-
Size
31KB
-
MD5
d86977a2192ece36dd67fb0cda948723
-
SHA1
5b2a8a046c0650148e079ea728ff16cc2c9d68e8
-
SHA256
c67f9a5d106e19910df975e3aa55a486e3a98beda6e12ddbeef0ace01136ddcc
-
SHA512
d27907734b9e43a7a30775fd156a4fead59917e8643388b8839eef45ade16c9071822eb63f81f0a572499c796c76e5c23e37001db5b876265646193be7712e95
-
SSDEEP
768:hDjRWQiKBzfTdJJ8Ba19WnNPVqd0uEWl6xWe6SE:9DLTdJyguVRuS2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
OpenWith.execmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid Process 1152 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid Process 2200 OpenWith.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exepid Process 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe 2200 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid Process procid_target PID 2200 wrote to memory of 1152 2200 OpenWith.exe 90 PID 2200 wrote to memory of 1152 2200 OpenWith.exe 90
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\R.pyc1⤵
- Modifies registry class
PID:3948
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\R.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:1152
-