Analysis

  • max time kernel
    447s
  • max time network
    1168s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/09/2024, 12:55

General

  • Target

    robux.bat

  • Size

    275B

  • MD5

    2755ddff80a52ce0f898dd86d2e0c386

  • SHA1

    1507f5f1f593ef9f658922b3346ffc8ee550937c

  • SHA256

    b35cb19f790d4ab3b8218ac1ff839fb021916a00d0cb6884eeb82c899b8dd5ed

  • SHA512

    2903bc0f38128edcd52576f67b1ce481ec7e341b8916697a3a041ee918c3eb8c2ada0cb2078301db8cfd90edde8aa1b1425432d23db2cffcbaf9f690fe26407e

Score
1/10

Malware Config

Signatures

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\robux.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic csproduct get uuid /value
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1620
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hardware_id.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:72

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\hardware_id.txt

      Filesize

      14B

      MD5

      ce585c6ba32ac17652d2345118536f9c

      SHA1

      be0e41b3690c42e4c0cdb53d53fc544fb46b758d

      SHA256

      589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

      SHA512

      d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752