3664113f7ace4433828dbc22df3592b3dc46eadfb1448868af8ff0803afd9041

Analysis

max time kernel
4s
max time network
0s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 06:19

Target

Roblox Player.rar
Size

82KB
MD5

c4e3c8e2f02594c8ace6137fb50c1eb9
SHA1

53013ab3c60826707430cf985585267e8376b420
SHA256

3664113f7ace4433828dbc22df3592b3dc46eadfb1448868af8ff0803afd9041
SHA512

f261b61efdb335fe722cf509e2eae58660fb2bb1cdb737db3b2a9e42ec674f57fa32a6bafaa7ccec0b91d24b313b8ee6268ccf8ebc06336bc007c756c06b5704
SSDEEP

1536:dy1KufIr9Rx7VdRQlnwWkHvXgvKWcqQ7kT1IyKLeDWZcPCJZVpj67WvnTcf:dyQr17VdR2wA4AT1IyK6DWZLx67UT6

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2776	3008	cmd.exe	29
PID 3008 wrote to memory of 2776	3008	cmd.exe	29
PID 3008 wrote to memory of 2776	3008	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Roblox Player.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Roblox Player.rar
  2⤵
  - Modifies registry class
  PID:2776

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact