c8b7775ff94b089a78394fa6dc4dcab66d46cba7e093e89348ff22c92d740ef3

Analysis

max time kernel
140s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04/07/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox-Mass-Report-main/setup.bat
Size

206B
MD5

e38449d67b0bf2858c150e2fb362a3cf
SHA1

2be664e387090d39741724a350a4cb0b4c1c8dcd
SHA256

bcee903f4a0aeacaea78e314cfbd2a91993c2578eed0ff9bac402e76494b8bf2
SHA512

f311caa7a9c5f706fc95de077d837329d5a3c8b849c6e499bc209f5b8d633919d3c7502b0e0245756b262f021cb0d357b3a8b4358096d6b054c93033a33fc7e5

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3560	4764	cmd.exe	80
PID 4764 wrote to memory of 3560	4764	cmd.exe	80
PID 4764 wrote to memory of 3560	4764	cmd.exe	80
PID 4764 wrote to memory of 1356	4764	cmd.exe	82
PID 4764 wrote to memory of 1356	4764	cmd.exe	82
PID 4764 wrote to memory of 1356	4764	cmd.exe	82
PID 4764 wrote to memory of 5028	4764	cmd.exe	83
PID 4764 wrote to memory of 5028	4764	cmd.exe	83
PID 4764 wrote to memory of 5028	4764	cmd.exe	83
PID 4764 wrote to memory of 3444	4764	cmd.exe	84
PID 4764 wrote to memory of 3444	4764	cmd.exe	84
PID 4764 wrote to memory of 3444	4764	cmd.exe	84
PID 4764 wrote to memory of 3716	4764	cmd.exe	85
PID 4764 wrote to memory of 3716	4764	cmd.exe	85
PID 4764 wrote to memory of 3716	4764	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Roblox-Mass-Report-main\setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python -m pip install pystyle
  2⤵
  PID:3560
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python -m pip install json
  2⤵
  PID:1356
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python -m pip install bs4
  2⤵
  PID:5028
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python -m pip install lxml
  2⤵
  PID:3444
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python -m pip install random
  2⤵
  PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2420

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2864

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
1KB

MD5
a8d1ae162e502d0c7b1689a60b46b940

SHA1
3812c6afa2e2d3fddb0d2c71aa4c12dbc51938b9

SHA256
5d1d00cce989539321ffd1ec89a768cf21cbc2067f42025abbc1bb82a48d4957

SHA512
a6a06baabd31752c01ef13316579321d8b4379c0e74cfd0d1fa5e833a7dd6b6b5f125001dc74202db3785ed9ebc4a94be5dff7a5e32e5448bd55103f78c2d513

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
1KB

MD5
8b6e396bbd30b8d55cbf63c77e3046f6

SHA1
09b092fb7cd87f9ea077871d81787eba98899326

SHA256
5f453d8c907e0bba338a79867e7441a8f469c6a112c18e41245a03553f7fc778

SHA512
44e937b85ef29484f080c9c7f3ea3b6d213f3edd73d2b47114a2d4d4591e6476fb32bc919a40f0e530aa079b150a877cc0d122d46b1df8655015d72399fb6713

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
2KB

MD5
5618b090b256198cb940223208741a01

SHA1
854fe35f82080171a73c1a6cbce81b6426424102

SHA256
19b4cd9966eb332457b041c2fbafa6e1db2bf818d5289de354f033bbf59bfd01

SHA512
ee8ca70b1b9e479cfbcf4204a6efc4e1ac1f6d0956bc8595610007e011ea06398d4758a0ff3d99ccf6336bb91bc3c5540925d70c5664a99f5043dd2269e2e498

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
550B

MD5
51547e0b1475581284298e3655340cfb

SHA1
6d9bfc3b353e83694891c38afe23b959e114f5cb

SHA256
6efab69584f1f9f61b11a96843a9c3482e012cb5d526db1152fd92833d3c029d

SHA512
230d47a40d759f1b1a7de25275b508a9f80e8f8ecbc1307016a83eef310499e5275b315e62fcb5e0201a16162246b89eabdb76886448bead5b7f5f3089e1d99a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads