44aa6595d19ff3d7f16bd3bd8733503ec15e2e2b2cfd906e6d09b27047bb87a3

Analysis

max time kernel
59s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:04 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobuxGiver/Run.bat
Size

38KB
MD5

5d2020803a46dad54351dec6cbfef2a8
SHA1

82c6bb2d9fe8b7dafcd38a53062a916f799def0a
SHA256

c008b4b0a7c2bb3eb56ace3ec469e203e05b24f204a84ca03fbde38a914ef162
SHA512

aa910eee045499e02bfc3fa326238f482f2fde49d94fb7624ff702ae378b3f32867df3cef74d3e36e32e2504b0bfdf096a41564bd566064c808233cd4ddb384d
SSDEEP

192:xtoe3MdO6xCR934ydDECjJUy8bZvZTIOdArWcHi5kFtgwJmjLBGuK6a4odfMsKzR:x+e4HKxlSF7J1Ou7GIyxUQ9oTbYBhneX

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4416	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe
Token: SeSecurityPrivilege	4272	WMIC.exe
Token: SeTakeOwnershipPrivilege	4272	WMIC.exe
Token: SeLoadDriverPrivilege	4272	WMIC.exe
Token: SeSystemProfilePrivilege	4272	WMIC.exe
Token: SeSystemtimePrivilege	4272	WMIC.exe
Token: SeProfSingleProcessPrivilege	4272	WMIC.exe
Token: SeIncBasePriorityPrivilege	4272	WMIC.exe
Token: SeCreatePagefilePrivilege	4272	WMIC.exe
Token: SeBackupPrivilege	4272	WMIC.exe
Token: SeRestorePrivilege	4272	WMIC.exe
Token: SeShutdownPrivilege	4272	WMIC.exe
Token: SeDebugPrivilege	4272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4272	WMIC.exe
Token: SeRemoteShutdownPrivilege	4272	WMIC.exe
Token: SeUndockPrivilege	4272	WMIC.exe
Token: SeManageVolumePrivilege	4272	WMIC.exe
Token: 33	4272	WMIC.exe
Token: 34	4272	WMIC.exe
Token: 35	4272	WMIC.exe
Token: 36	4272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4272	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2020	1188	cmd.exe	88
PID 1188 wrote to memory of 2020	1188	cmd.exe	88
PID 1188 wrote to memory of 4676	1188	cmd.exe	89
PID 1188 wrote to memory of 4676	1188	cmd.exe	89
PID 1188 wrote to memory of 540	1188	cmd.exe	90
PID 1188 wrote to memory of 540	1188	cmd.exe	90
PID 1188 wrote to memory of 3580	1188	cmd.exe	91
PID 1188 wrote to memory of 3580	1188	cmd.exe	91
PID 1188 wrote to memory of 4824	1188	cmd.exe	92
PID 1188 wrote to memory of 4824	1188	cmd.exe	92
PID 1188 wrote to memory of 1044	1188	cmd.exe	93
PID 1188 wrote to memory of 1044	1188	cmd.exe	93
PID 1188 wrote to memory of 1492	1188	cmd.exe	94
PID 1188 wrote to memory of 1492	1188	cmd.exe	94
PID 1188 wrote to memory of 3128	1188	cmd.exe	95
PID 1188 wrote to memory of 3128	1188	cmd.exe	95
PID 1188 wrote to memory of 4044	1188	cmd.exe	96
PID 1188 wrote to memory of 4044	1188	cmd.exe	96
PID 1188 wrote to memory of 4860	1188	cmd.exe	97
PID 1188 wrote to memory of 4860	1188	cmd.exe	97
PID 1188 wrote to memory of 844	1188	cmd.exe	98
PID 1188 wrote to memory of 844	1188	cmd.exe	98
PID 3972 wrote to memory of 940	3972	cmd.exe	113
PID 3972 wrote to memory of 940	3972	cmd.exe	113
PID 3972 wrote to memory of 4768	3972	cmd.exe	114
PID 3972 wrote to memory of 4768	3972	cmd.exe	114
PID 3972 wrote to memory of 1040	3972	cmd.exe	115
PID 3972 wrote to memory of 1040	3972	cmd.exe	115
PID 3972 wrote to memory of 1012	3972	cmd.exe	116
PID 3972 wrote to memory of 1012	3972	cmd.exe	116
PID 3972 wrote to memory of 3364	3972	cmd.exe	117
PID 3972 wrote to memory of 3364	3972	cmd.exe	117
PID 3972 wrote to memory of 2876	3972	cmd.exe	118
PID 3972 wrote to memory of 2876	3972	cmd.exe	118
PID 3972 wrote to memory of 4292	3972	cmd.exe	119
PID 3972 wrote to memory of 4292	3972	cmd.exe	119
PID 3972 wrote to memory of 512	3972	cmd.exe	120
PID 3972 wrote to memory of 512	3972	cmd.exe	120
PID 3972 wrote to memory of 2192	3972	cmd.exe	121
PID 3972 wrote to memory of 2192	3972	cmd.exe	121
PID 3972 wrote to memory of 4272	3972	cmd.exe	122
PID 3972 wrote to memory of 4272	3972	cmd.exe	122
PID 3972 wrote to memory of 4124	3972	cmd.exe	123
PID 3972 wrote to memory of 4124	3972	cmd.exe	123

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4676
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:540
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:3580
- C:\Windows\system32\findstr.exe
  findstr /L /I set C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat
  2⤵
  PID:4824
- C:\Windows\system32\findstr.exe
  findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat
  2⤵
  PID:1044
- C:\Windows\system32\findstr.exe
  findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat
  2⤵
  PID:1492
- C:\Windows\system32\findstr.exe
  findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat
  2⤵
  PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4044
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\system32\findstr.exe
  findstr /C:"Intel Core Processor (Broadwell)"
  2⤵
  PID:844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4768
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1040
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1012
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat"
  2⤵
  PID:3364
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat"
  2⤵
  PID:2876
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat"
  2⤵
  PID:4292
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat"
  2⤵
  PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2192
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get Name
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\system32\findstr.exe
  findstr /C:"Intel Core Processor (Broadwell)"
  2⤵
  PID:4124

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RobuxGiver\Run.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4416

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

13.107.21.237

dual-a-0034.a-msedge.net

IN A

204.79.197.237
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR

Response
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR
DNS

22.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.160.190.20.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0054c2088eaa445c85adc8ee701d1859&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

Remote address:

13.107.21.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0054c2088eaa445c85adc8ee701d1859&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
DNS

237.21.107.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.21.107.13.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

13.107.21.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0054c2088eaa445c85adc8ee701d1859&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

tls, http2

2.5kB
7.5kB
17
8

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0054c2088eaa445c85adc8ee701d1859&localId=w:58F15D5C-450D-8348-2910-A8A47129F4C2&deviceId=6825833575955334&anid=

8.8.8.8:53

g.bing.com

dns

224 B
151 B
4
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

13.107.21.237

204.79.197.237
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

22.160.190.20.in-addr.arpa

dns

360 B
158 B
5
1

DNS Request

22.160.190.20.in-addr.arpa

DNS Request

22.160.190.20.in-addr.arpa

DNS Request

22.160.190.20.in-addr.arpa

DNS Request

22.160.190.20.in-addr.arpa

DNS Request

22.160.190.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

370 B
128 B
5
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

365 B
144 B
5
1

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

237.21.107.13.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

237.21.107.13.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

205.47.74.20.in-addr.arpa

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

288 B
158 B
4
1

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

219 B
159 B
3
1

DNS Request

228.249.119.40.in-addr.arpa

DNS Request

228.249.119.40.in-addr.arpa

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

216 B
158 B
3
1

DNS Request

209.205.72.20.in-addr.arpa

DNS Request

209.205.72.20.in-addr.arpa

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

140 B
144 B
2
1

DNS Request

86.23.85.13.in-addr.arpa

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
1

DNS Request

56.126.166.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RobuxGiver\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.