b35cb19f790d4ab3b8218ac1ff839fb021916a00d0cb6884eeb82c899b8dd5ed

Analysis

max time kernel
447s
max time network
1168s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/09/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

robux.bat
Size

275B
MD5

2755ddff80a52ce0f898dd86d2e0c386
SHA1

1507f5f1f593ef9f658922b3346ffc8ee550937c
SHA256

b35cb19f790d4ab3b8218ac1ff839fb021916a00d0cb6884eeb82c899b8dd5ed
SHA512

2903bc0f38128edcd52576f67b1ce481ec7e341b8916697a3a041ee918c3eb8c2ada0cb2078301db8cfd90edde8aa1b1425432d23db2cffcbaf9f690fe26407e

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
72	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3924	WMIC.exe
Token: SeSecurityPrivilege	3924	WMIC.exe
Token: SeTakeOwnershipPrivilege	3924	WMIC.exe
Token: SeLoadDriverPrivilege	3924	WMIC.exe
Token: SeSystemProfilePrivilege	3924	WMIC.exe
Token: SeSystemtimePrivilege	3924	WMIC.exe
Token: SeProfSingleProcessPrivilege	3924	WMIC.exe
Token: SeIncBasePriorityPrivilege	3924	WMIC.exe
Token: SeCreatePagefilePrivilege	3924	WMIC.exe
Token: SeBackupPrivilege	3924	WMIC.exe
Token: SeRestorePrivilege	3924	WMIC.exe
Token: SeShutdownPrivilege	3924	WMIC.exe
Token: SeDebugPrivilege	3924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3924	WMIC.exe
Token: SeRemoteShutdownPrivilege	3924	WMIC.exe
Token: SeUndockPrivilege	3924	WMIC.exe
Token: SeManageVolumePrivilege	3924	WMIC.exe
Token: 33	3924	WMIC.exe
Token: 34	3924	WMIC.exe
Token: 35	3924	WMIC.exe
Token: 36	3924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3924	WMIC.exe
Token: SeSecurityPrivilege	3924	WMIC.exe
Token: SeTakeOwnershipPrivilege	3924	WMIC.exe
Token: SeLoadDriverPrivilege	3924	WMIC.exe
Token: SeSystemProfilePrivilege	3924	WMIC.exe
Token: SeSystemtimePrivilege	3924	WMIC.exe
Token: SeProfSingleProcessPrivilege	3924	WMIC.exe
Token: SeIncBasePriorityPrivilege	3924	WMIC.exe
Token: SeCreatePagefilePrivilege	3924	WMIC.exe
Token: SeBackupPrivilege	3924	WMIC.exe
Token: SeRestorePrivilege	3924	WMIC.exe
Token: SeShutdownPrivilege	3924	WMIC.exe
Token: SeDebugPrivilege	3924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3924	WMIC.exe
Token: SeRemoteShutdownPrivilege	3924	WMIC.exe
Token: SeUndockPrivilege	3924	WMIC.exe
Token: SeManageVolumePrivilege	3924	WMIC.exe
Token: 33	3924	WMIC.exe
Token: 34	3924	WMIC.exe
Token: 35	3924	WMIC.exe
Token: 36	3924	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4140	884	cmd.exe	79
PID 884 wrote to memory of 4140	884	cmd.exe	79
PID 4140 wrote to memory of 3924	4140	cmd.exe	80
PID 4140 wrote to memory of 3924	4140	cmd.exe	80

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\robux.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1620

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\hardware_id.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:72

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hardware_id.txt

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads