Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 02:23

General

  • Target

    New folder (4)/free robbux/robuxboi.bat

  • Size

    7KB

  • MD5

    65dcdf6be470f4b69915c4cbf7c10877

  • SHA1

    e480cf30454a0f5c09ac73cdf72192a1abf26713

  • SHA256

    6cfb933d54ecd331128570b9ed31c25a7520dcd70fc8cbac041f78c90abaa509

  • SHA512

    3f8e19f84bf4789c91937c902c799ae59c29b8087176f6d02d22bde2b0336fed58377b82df4c72f532ce99714ee1d885b325a01fbec267bdf981d6d58038b567

  • SSDEEP

    96:dy1jI+hFjju23zX0FoyFaIU7yeevW5My0FEvVkv2vt98JQyFjKq1eGWWg:dKLjaQzX0aaaIK70FKVPP7ysCzrg

Malware Config

Signatures

  • Detected Nirsoft tools 7 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
      WebBrowserPassView.exe /stext WebBrowserPassView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
      SkypeLogView.exe /stext SkypeLogView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2304
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
      RouterPassView.exe /stext RouterPassView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
      pspv.exe /stext pspv_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2188
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
      PasswordFox.exe /stext PasswordFox_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1608
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
      OperaPassView.exe /stext OperaPassView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
      mspass.exe /stext mspass_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
      mailpv.exe /stext mailpv_11102024_KHBTHJFA_Admin.txt
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1268
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
      iepv.exe /stext iepv_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1816
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
      ChromePass.exe /stext ChromePass_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2816
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
      ChromeHistoryView.exe /stext ChromeHistoryView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2944
    • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
      BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_KHBTHJFA_Admin.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2956
    • C:\Windows\system32\PING.EXE
      ping -n 5 127.0.0.1
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass_11102024_KHBTHJFA_Admin.txt

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • memory/1816-16-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1816-21-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1880-4-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2304-2-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

  • memory/2312-3-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2312-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2580-11-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2580-14-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

  • memory/2944-15-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

  • memory/2944-19-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB