Overview
overview
9Static
static
9New folder...ew.exe
windows7-x64
7New folder...ew.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ss.exe
windows7-x64
7New folder...ss.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ox.exe
windows7-x64
7New folder...ox.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ew.exe
windows7-x64
7New folder...ew.exe
windows10-2004-x64
7New folder...pv.exe
windows7-x64
9New folder...pv.exe
windows10-2004-x64
9New folder...pv.exe
windows7-x64
6New folder...pv.exe
windows10-2004-x64
6New folder...ss.exe
windows7-x64
9New folder...ss.exe
windows10-2004-x64
9New folder...pv.exe
windows7-x64
3New folder...pv.exe
windows10-2004-x64
3New folder...oi.bat
windows7-x64
9New folder...oi.bat
windows10-2004-x64
9Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 02:23
Behavioral task
behavioral1
Sample
New folder (4)/free robbux/BrowsingHistoryView.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder (4)/free robbux/BrowsingHistoryView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder (4)/free robbux/ChromeHistoryView.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
New folder (4)/free robbux/ChromeHistoryView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder (4)/free robbux/ChromePass.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
New folder (4)/free robbux/ChromePass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
New folder (4)/free robbux/OperaPassView.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
New folder (4)/free robbux/OperaPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
New folder (4)/free robbux/PasswordFox.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
New folder (4)/free robbux/PasswordFox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
New folder (4)/free robbux/RouterPassView.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
New folder (4)/free robbux/RouterPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
New folder (4)/free robbux/SkypeLogView.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
New folder (4)/free robbux/SkypeLogView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
New folder (4)/free robbux/WebBrowserPassView.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
New folder (4)/free robbux/WebBrowserPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
New folder (4)/free robbux/iepv.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
New folder (4)/free robbux/iepv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
New folder (4)/free robbux/mailpv.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
New folder (4)/free robbux/mailpv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
New folder (4)/free robbux/mspass.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
New folder (4)/free robbux/mspass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
New folder (4)/free robbux/pspv.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
New folder (4)/free robbux/pspv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
New folder (4)/free robbux/robuxboi.bat
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
New folder (4)/free robbux/robuxboi.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder (4)/free robbux/robuxboi.bat
-
Size
7KB
-
MD5
65dcdf6be470f4b69915c4cbf7c10877
-
SHA1
e480cf30454a0f5c09ac73cdf72192a1abf26713
-
SHA256
6cfb933d54ecd331128570b9ed31c25a7520dcd70fc8cbac041f78c90abaa509
-
SHA512
3f8e19f84bf4789c91937c902c799ae59c29b8087176f6d02d22bde2b0336fed58377b82df4c72f532ce99714ee1d885b325a01fbec267bdf981d6d58038b567
-
SSDEEP
96:dy1jI+hFjju23zX0FoyFaIU7yeevW5My0FEvVkv2vt98JQyFjKq1eGWWg:dKLjaQzX0aaaIK70FKVPP7ysCzrg
Malware Config
Signatures
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral25/memory/1880-4-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral25/memory/2304-2-0x0000000000400000-0x0000000000452000-memory.dmp Nirsoft behavioral25/memory/2312-9-0x0000000000400000-0x0000000000429000-memory.dmp Nirsoft behavioral25/memory/1816-16-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral25/memory/2580-14-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral25/memory/2944-19-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft behavioral25/memory/1816-21-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
mailpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe -
Processes:
resource yara_rule behavioral25/memory/1880-4-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral25/memory/2312-3-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral25/memory/2304-2-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral25/memory/2312-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral25/memory/2580-11-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral25/memory/2944-15-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral25/memory/1816-16-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral25/memory/2580-14-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral25/memory/2944-19-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral25/memory/1816-21-0x0000000000400000-0x000000000041C000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SkypeLogView.exepspv.exeRouterPassView.exeChromePass.exeiepv.exeBrowsingHistoryView.exeChromeHistoryView.exeWebBrowserPassView.exeOperaPassView.exePasswordFox.exemspass.exemailpv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SkypeLogView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pspv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RouterPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromePass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iepv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BrowsingHistoryView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeHistoryView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebBrowserPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PasswordFox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mailpv.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs
Processes:
WebBrowserPassView.exeSkypeLogView.exeRouterPassView.exepspv.exePasswordFox.exeOperaPassView.exemspass.exemailpv.exeiepv.exeChromePass.exeChromeHistoryView.exeBrowsingHistoryView.exepid process 2276 WebBrowserPassView.exe 2304 SkypeLogView.exe 2312 RouterPassView.exe 2188 pspv.exe 1608 PasswordFox.exe 1880 OperaPassView.exe 2580 mspass.exe 1268 mailpv.exe 1816 iepv.exe 2816 ChromePass.exe 2944 ChromeHistoryView.exe 2956 BrowsingHistoryView.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mspass.exeiepv.exedescription pid process Token: SeDebugPrivilege 2580 mspass.exe Token: SeDebugPrivilege 1816 iepv.exe Token: SeRestorePrivilege 1816 iepv.exe Token: SeBackupPrivilege 1816 iepv.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
cmd.exedescription pid process target process PID 2204 wrote to memory of 2276 2204 cmd.exe WebBrowserPassView.exe PID 2204 wrote to memory of 2276 2204 cmd.exe WebBrowserPassView.exe PID 2204 wrote to memory of 2276 2204 cmd.exe WebBrowserPassView.exe PID 2204 wrote to memory of 2276 2204 cmd.exe WebBrowserPassView.exe PID 2204 wrote to memory of 2304 2204 cmd.exe SkypeLogView.exe PID 2204 wrote to memory of 2304 2204 cmd.exe SkypeLogView.exe PID 2204 wrote to memory of 2304 2204 cmd.exe SkypeLogView.exe PID 2204 wrote to memory of 2304 2204 cmd.exe SkypeLogView.exe PID 2204 wrote to memory of 2312 2204 cmd.exe RouterPassView.exe PID 2204 wrote to memory of 2312 2204 cmd.exe RouterPassView.exe PID 2204 wrote to memory of 2312 2204 cmd.exe RouterPassView.exe PID 2204 wrote to memory of 2312 2204 cmd.exe RouterPassView.exe PID 2204 wrote to memory of 2188 2204 cmd.exe pspv.exe PID 2204 wrote to memory of 2188 2204 cmd.exe pspv.exe PID 2204 wrote to memory of 2188 2204 cmd.exe pspv.exe PID 2204 wrote to memory of 2188 2204 cmd.exe pspv.exe PID 2204 wrote to memory of 1608 2204 cmd.exe PasswordFox.exe PID 2204 wrote to memory of 1608 2204 cmd.exe PasswordFox.exe PID 2204 wrote to memory of 1608 2204 cmd.exe PasswordFox.exe PID 2204 wrote to memory of 1608 2204 cmd.exe PasswordFox.exe PID 2204 wrote to memory of 1880 2204 cmd.exe OperaPassView.exe PID 2204 wrote to memory of 1880 2204 cmd.exe OperaPassView.exe PID 2204 wrote to memory of 1880 2204 cmd.exe OperaPassView.exe PID 2204 wrote to memory of 1880 2204 cmd.exe OperaPassView.exe PID 2204 wrote to memory of 2580 2204 cmd.exe mspass.exe PID 2204 wrote to memory of 2580 2204 cmd.exe mspass.exe PID 2204 wrote to memory of 2580 2204 cmd.exe mspass.exe PID 2204 wrote to memory of 2580 2204 cmd.exe mspass.exe PID 2204 wrote to memory of 1268 2204 cmd.exe mailpv.exe PID 2204 wrote to memory of 1268 2204 cmd.exe mailpv.exe PID 2204 wrote to memory of 1268 2204 cmd.exe mailpv.exe PID 2204 wrote to memory of 1268 2204 cmd.exe mailpv.exe PID 2204 wrote to memory of 1816 2204 cmd.exe iepv.exe PID 2204 wrote to memory of 1816 2204 cmd.exe iepv.exe PID 2204 wrote to memory of 1816 2204 cmd.exe iepv.exe PID 2204 wrote to memory of 1816 2204 cmd.exe iepv.exe PID 2204 wrote to memory of 2816 2204 cmd.exe ChromePass.exe PID 2204 wrote to memory of 2816 2204 cmd.exe ChromePass.exe PID 2204 wrote to memory of 2816 2204 cmd.exe ChromePass.exe PID 2204 wrote to memory of 2816 2204 cmd.exe ChromePass.exe PID 2204 wrote to memory of 2944 2204 cmd.exe ChromeHistoryView.exe PID 2204 wrote to memory of 2944 2204 cmd.exe ChromeHistoryView.exe PID 2204 wrote to memory of 2944 2204 cmd.exe ChromeHistoryView.exe PID 2204 wrote to memory of 2944 2204 cmd.exe ChromeHistoryView.exe PID 2204 wrote to memory of 2956 2204 cmd.exe BrowsingHistoryView.exe PID 2204 wrote to memory of 2956 2204 cmd.exe BrowsingHistoryView.exe PID 2204 wrote to memory of 2956 2204 cmd.exe BrowsingHistoryView.exe PID 2204 wrote to memory of 2956 2204 cmd.exe BrowsingHistoryView.exe PID 2204 wrote to memory of 2960 2204 cmd.exe PING.EXE PID 2204 wrote to memory of 2960 2204 cmd.exe PING.EXE PID 2204 wrote to memory of 2960 2204 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exeWebBrowserPassView.exe /stext WebBrowserPassView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exeSkypeLogView.exe /stext SkypeLogView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exeRouterPassView.exe /stext RouterPassView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exepspv.exe /stext pspv_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exePasswordFox.exe /stext PasswordFox_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exeOperaPassView.exe /stext OperaPassView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exemspass.exe /stext mspass_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exemailpv.exe /stext mailpv_11102024_KHBTHJFA_Admin.txt2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exeiepv.exe /stext iepv_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exeChromePass.exe /stext ChromePass_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exeChromeHistoryView.exe /stext ChromeHistoryView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exeBrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_KHBTHJFA_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2956
-
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84