General
-
Target
RobloxPlayerInstaller.exe
-
Size
4.6MB
-
Sample
240917-vrr7msvbrk
-
MD5
f16ac9b02b4726b444b383d76db1ae18
-
SHA1
7388c264874447d1ded6b6acaa35d26144d023a9
-
SHA256
f59c4acec3cd952c3ab981d56e1e68f543ad8684a3b44c6b59b70fbabc2b5ff0
-
SHA512
9bf0e99eae1406341358c787de4bfd412933af8ca064e0aa09f0bf6893b5d5d9899a82d360f423cc7fae6d647e7196778fddee031508caae99f4a9316e6edf39
-
SSDEEP
98304:Q+v//h75UcT+6O6QCp4jgzg2ar8S9rpTwkTPKXbSz:Jnh75nTS6Qvg3utwSiE
Static task
static1
Behavioral task
behavioral1
Sample
RobloxPlayerInstaller.exe
Resource
win11-20240802-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry (1).zip\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
RobloxPlayerInstaller.exe
-
Size
4.6MB
-
MD5
f16ac9b02b4726b444b383d76db1ae18
-
SHA1
7388c264874447d1ded6b6acaa35d26144d023a9
-
SHA256
f59c4acec3cd952c3ab981d56e1e68f543ad8684a3b44c6b59b70fbabc2b5ff0
-
SHA512
9bf0e99eae1406341358c787de4bfd412933af8ca064e0aa09f0bf6893b5d5d9899a82d360f423cc7fae6d647e7196778fddee031508caae99f4a9316e6edf39
-
SSDEEP
98304:Q+v//h75UcT+6O6QCp4jgzg2ar8S9rpTwkTPKXbSz:Jnh75nTS6Qvg3utwSiE
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Modifies file permissions
-
Adds Run key to start application
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Sets desktop wallpaper using registry
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
5Discovery
Browser Information Discovery
1Network Service Discovery
1Network Share Discovery
1Query Registry
4System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1