Overview
overview
9Static
static
9New folder...ew.exe
windows7-x64
7New folder...ew.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ss.exe
windows7-x64
7New folder...ss.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ox.exe
windows7-x64
7New folder...ox.exe
windows10-2004-x64
7New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ew.exe
windows7-x64
9New folder...ew.exe
windows10-2004-x64
9New folder...ew.exe
windows7-x64
7New folder...ew.exe
windows10-2004-x64
7New folder...pv.exe
windows7-x64
9New folder...pv.exe
windows10-2004-x64
9New folder...pv.exe
windows7-x64
6New folder...pv.exe
windows10-2004-x64
6New folder...ss.exe
windows7-x64
9New folder...ss.exe
windows10-2004-x64
9New folder...pv.exe
windows7-x64
3New folder...pv.exe
windows10-2004-x64
3New folder...oi.bat
windows7-x64
9New folder...oi.bat
windows10-2004-x64
9Analysis
-
max time kernel
94s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 02:23
Behavioral task
behavioral1
Sample
New folder (4)/free robbux/BrowsingHistoryView.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder (4)/free robbux/BrowsingHistoryView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder (4)/free robbux/ChromeHistoryView.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
New folder (4)/free robbux/ChromeHistoryView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder (4)/free robbux/ChromePass.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
New folder (4)/free robbux/ChromePass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
New folder (4)/free robbux/OperaPassView.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
New folder (4)/free robbux/OperaPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
New folder (4)/free robbux/PasswordFox.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
New folder (4)/free robbux/PasswordFox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
New folder (4)/free robbux/RouterPassView.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
New folder (4)/free robbux/RouterPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
New folder (4)/free robbux/SkypeLogView.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
New folder (4)/free robbux/SkypeLogView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
New folder (4)/free robbux/WebBrowserPassView.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
New folder (4)/free robbux/WebBrowserPassView.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
New folder (4)/free robbux/iepv.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
New folder (4)/free robbux/iepv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
New folder (4)/free robbux/mailpv.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
New folder (4)/free robbux/mailpv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
New folder (4)/free robbux/mspass.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
New folder (4)/free robbux/mspass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
New folder (4)/free robbux/pspv.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
New folder (4)/free robbux/pspv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
New folder (4)/free robbux/robuxboi.bat
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
New folder (4)/free robbux/robuxboi.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder (4)/free robbux/robuxboi.bat
-
Size
7KB
-
MD5
65dcdf6be470f4b69915c4cbf7c10877
-
SHA1
e480cf30454a0f5c09ac73cdf72192a1abf26713
-
SHA256
6cfb933d54ecd331128570b9ed31c25a7520dcd70fc8cbac041f78c90abaa509
-
SHA512
3f8e19f84bf4789c91937c902c799ae59c29b8087176f6d02d22bde2b0336fed58377b82df4c72f532ce99714ee1d885b325a01fbec267bdf981d6d58038b567
-
SSDEEP
96:dy1jI+hFjju23zX0FoyFaIU7yeevW5My0FEvVkv2vt98JQyFjKq1eGWWg:dKLjaQzX0aaaIK70FKVPP7ysCzrg
Malware Config
Signatures
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral26/memory/2424-10-0x0000000000400000-0x0000000000429000-memory.dmp Nirsoft behavioral26/memory/5072-14-0x0000000000400000-0x0000000000452000-memory.dmp Nirsoft behavioral26/memory/1080-12-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral26/memory/3988-16-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral26/memory/556-19-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral26/memory/1700-24-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
mailpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe -
Processes:
resource yara_rule behavioral26/memory/5072-0-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral26/memory/2424-1-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral26/memory/1080-2-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral26/memory/3988-3-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral26/memory/2424-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral26/memory/5072-14-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral26/memory/1080-12-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral26/memory/3988-16-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral26/memory/556-17-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral26/memory/556-19-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral26/memory/1700-21-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral26/memory/1700-24-0x0000000000400000-0x000000000044F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WebBrowserPassView.exePasswordFox.exeOperaPassView.exemspass.exemailpv.exeChromePass.exeRouterPassView.exepspv.exeSkypeLogView.exeiepv.exeChromeHistoryView.exeBrowsingHistoryView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebBrowserPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PasswordFox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mailpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromePass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RouterPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pspv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SkypeLogView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iepv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeHistoryView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BrowsingHistoryView.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspass.exepid process 3988 mspass.exe 3988 mspass.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mspass.exeiepv.exedescription pid process Token: SeDebugPrivilege 3988 mspass.exe Token: SeDebugPrivilege 556 iepv.exe Token: SeRestorePrivilege 556 iepv.exe Token: SeBackupPrivilege 556 iepv.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
cmd.exedescription pid process target process PID 1316 wrote to memory of 2872 1316 cmd.exe WebBrowserPassView.exe PID 1316 wrote to memory of 2872 1316 cmd.exe WebBrowserPassView.exe PID 1316 wrote to memory of 2872 1316 cmd.exe WebBrowserPassView.exe PID 1316 wrote to memory of 5072 1316 cmd.exe SkypeLogView.exe PID 1316 wrote to memory of 5072 1316 cmd.exe SkypeLogView.exe PID 1316 wrote to memory of 5072 1316 cmd.exe SkypeLogView.exe PID 1316 wrote to memory of 2424 1316 cmd.exe RouterPassView.exe PID 1316 wrote to memory of 2424 1316 cmd.exe RouterPassView.exe PID 1316 wrote to memory of 2424 1316 cmd.exe RouterPassView.exe PID 1316 wrote to memory of 4224 1316 cmd.exe pspv.exe PID 1316 wrote to memory of 4224 1316 cmd.exe pspv.exe PID 1316 wrote to memory of 4224 1316 cmd.exe pspv.exe PID 1316 wrote to memory of 1592 1316 cmd.exe PasswordFox.exe PID 1316 wrote to memory of 1592 1316 cmd.exe PasswordFox.exe PID 1316 wrote to memory of 1592 1316 cmd.exe PasswordFox.exe PID 1316 wrote to memory of 1080 1316 cmd.exe OperaPassView.exe PID 1316 wrote to memory of 1080 1316 cmd.exe OperaPassView.exe PID 1316 wrote to memory of 1080 1316 cmd.exe OperaPassView.exe PID 1316 wrote to memory of 3988 1316 cmd.exe mspass.exe PID 1316 wrote to memory of 3988 1316 cmd.exe mspass.exe PID 1316 wrote to memory of 3988 1316 cmd.exe mspass.exe PID 1316 wrote to memory of 2768 1316 cmd.exe mailpv.exe PID 1316 wrote to memory of 2768 1316 cmd.exe mailpv.exe PID 1316 wrote to memory of 2768 1316 cmd.exe mailpv.exe PID 1316 wrote to memory of 556 1316 cmd.exe iepv.exe PID 1316 wrote to memory of 556 1316 cmd.exe iepv.exe PID 1316 wrote to memory of 556 1316 cmd.exe iepv.exe PID 1316 wrote to memory of 1844 1316 cmd.exe ChromePass.exe PID 1316 wrote to memory of 1844 1316 cmd.exe ChromePass.exe PID 1316 wrote to memory of 1844 1316 cmd.exe ChromePass.exe PID 1316 wrote to memory of 1700 1316 cmd.exe ChromeHistoryView.exe PID 1316 wrote to memory of 1700 1316 cmd.exe ChromeHistoryView.exe PID 1316 wrote to memory of 1700 1316 cmd.exe ChromeHistoryView.exe PID 1316 wrote to memory of 4540 1316 cmd.exe BrowsingHistoryView.exe PID 1316 wrote to memory of 4540 1316 cmd.exe BrowsingHistoryView.exe PID 1316 wrote to memory of 4540 1316 cmd.exe BrowsingHistoryView.exe PID 1316 wrote to memory of 3840 1316 cmd.exe PING.EXE PID 1316 wrote to memory of 3840 1316 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exeWebBrowserPassView.exe /stext WebBrowserPassView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exeSkypeLogView.exe /stext SkypeLogView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exeRouterPassView.exe /stext RouterPassView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exepspv.exe /stext pspv_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exePasswordFox.exe /stext PasswordFox_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exeOperaPassView.exe /stext OperaPassView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exemspass.exe /stext mspass_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exemailpv.exe /stext mailpv_11102024_YLFOGIOE_Admin.txt2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exeiepv.exe /stext iepv_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exeChromePass.exe /stext ChromePass_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exeChromeHistoryView.exe /stext ChromeHistoryView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exeBrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_YLFOGIOE_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_YLFOGIOE_Admin.txt
Filesize2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84