Overview
overview
9Static
static
9New folder...ew.exe
windows11-21h2-x64
7New folder...ew.exe
windows11-21h2-x64
9New folder...ss.exe
windows11-21h2-x64
7New folder...ew.exe
windows11-21h2-x64
9New folder...ox.exe
windows11-21h2-x64
7New folder...ew.exe
windows11-21h2-x64
9New folder...ew.exe
windows11-21h2-x64
9New folder...ew.exe
windows11-21h2-x64
7New folder...pv.exe
windows11-21h2-x64
9New folder...pv.exe
windows11-21h2-x64
6New folder...ss.exe
windows11-21h2-x64
9New folder...pv.exe
windows11-21h2-x64
3New folder...oi.bat
windows11-21h2-x64
9Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-11-2024 03:58
Behavioral task
behavioral1
Sample
New folder (4)/free robbux/BrowsingHistoryView.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
New folder (4)/free robbux/ChromeHistoryView.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
New folder (4)/free robbux/ChromePass.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
New folder (4)/free robbux/OperaPassView.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
New folder (4)/free robbux/PasswordFox.exe
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
New folder (4)/free robbux/RouterPassView.exe
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
New folder (4)/free robbux/SkypeLogView.exe
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
New folder (4)/free robbux/WebBrowserPassView.exe
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
New folder (4)/free robbux/iepv.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
New folder (4)/free robbux/mailpv.exe
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
New folder (4)/free robbux/mspass.exe
Resource
win11-20241023-en
Behavioral task
behavioral12
Sample
New folder (4)/free robbux/pspv.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
New folder (4)/free robbux/robuxboi.bat
Resource
win11-20241007-en
General
-
Target
New folder (4)/free robbux/robuxboi.bat
-
Size
7KB
-
MD5
65dcdf6be470f4b69915c4cbf7c10877
-
SHA1
e480cf30454a0f5c09ac73cdf72192a1abf26713
-
SHA256
6cfb933d54ecd331128570b9ed31c25a7520dcd70fc8cbac041f78c90abaa509
-
SHA512
3f8e19f84bf4789c91937c902c799ae59c29b8087176f6d02d22bde2b0336fed58377b82df4c72f532ce99714ee1d885b325a01fbec267bdf981d6d58038b567
-
SSDEEP
96:dy1jI+hFjju23zX0FoyFaIU7yeevW5My0FEvVkv2vt98JQyFjKq1eGWWg:dKLjaQzX0aaaIK70FKVPP7ysCzrg
Malware Config
Signatures
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral13/memory/1176-9-0x0000000000400000-0x0000000000429000-memory.dmp Nirsoft behavioral13/memory/3716-8-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral13/memory/3156-11-0x0000000000400000-0x0000000000452000-memory.dmp Nirsoft behavioral13/memory/384-13-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral13/memory/2796-15-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral13/memory/3804-19-0x0000000000400000-0x000000000044F000-memory.dmp Nirsoft -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
mailpv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe -
Processes:
resource yara_rule behavioral13/memory/3156-0-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral13/memory/1176-1-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral13/memory/1176-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral13/memory/3716-8-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral13/memory/3156-11-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral13/memory/3716-2-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral13/memory/384-12-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral13/memory/384-13-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral13/memory/2796-14-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral13/memory/2796-15-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral13/memory/3804-17-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral13/memory/3804-19-0x0000000000400000-0x000000000044F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
SkypeLogView.exeRouterPassView.exepspv.exeOperaPassView.exeiepv.exeChromePass.exeWebBrowserPassView.exePasswordFox.exemspass.exemailpv.exeChromeHistoryView.exeBrowsingHistoryView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SkypeLogView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RouterPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pspv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OperaPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iepv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromePass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebBrowserPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PasswordFox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mailpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeHistoryView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BrowsingHistoryView.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mspass.exepid process 384 mspass.exe 384 mspass.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mspass.exeiepv.exedescription pid process Token: SeDebugPrivilege 384 mspass.exe Token: SeDebugPrivilege 2796 iepv.exe Token: SeRestorePrivilege 2796 iepv.exe Token: SeBackupPrivilege 2796 iepv.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
cmd.exedescription pid process target process PID 2244 wrote to memory of 3492 2244 cmd.exe WebBrowserPassView.exe PID 2244 wrote to memory of 3492 2244 cmd.exe WebBrowserPassView.exe PID 2244 wrote to memory of 3492 2244 cmd.exe WebBrowserPassView.exe PID 2244 wrote to memory of 3156 2244 cmd.exe SkypeLogView.exe PID 2244 wrote to memory of 3156 2244 cmd.exe SkypeLogView.exe PID 2244 wrote to memory of 3156 2244 cmd.exe SkypeLogView.exe PID 2244 wrote to memory of 1176 2244 cmd.exe RouterPassView.exe PID 2244 wrote to memory of 1176 2244 cmd.exe RouterPassView.exe PID 2244 wrote to memory of 1176 2244 cmd.exe RouterPassView.exe PID 2244 wrote to memory of 1208 2244 cmd.exe pspv.exe PID 2244 wrote to memory of 1208 2244 cmd.exe pspv.exe PID 2244 wrote to memory of 1208 2244 cmd.exe pspv.exe PID 2244 wrote to memory of 5032 2244 cmd.exe PasswordFox.exe PID 2244 wrote to memory of 5032 2244 cmd.exe PasswordFox.exe PID 2244 wrote to memory of 5032 2244 cmd.exe PasswordFox.exe PID 2244 wrote to memory of 3716 2244 cmd.exe OperaPassView.exe PID 2244 wrote to memory of 3716 2244 cmd.exe OperaPassView.exe PID 2244 wrote to memory of 3716 2244 cmd.exe OperaPassView.exe PID 2244 wrote to memory of 384 2244 cmd.exe mspass.exe PID 2244 wrote to memory of 384 2244 cmd.exe mspass.exe PID 2244 wrote to memory of 384 2244 cmd.exe mspass.exe PID 2244 wrote to memory of 2936 2244 cmd.exe mailpv.exe PID 2244 wrote to memory of 2936 2244 cmd.exe mailpv.exe PID 2244 wrote to memory of 2936 2244 cmd.exe mailpv.exe PID 2244 wrote to memory of 2796 2244 cmd.exe iepv.exe PID 2244 wrote to memory of 2796 2244 cmd.exe iepv.exe PID 2244 wrote to memory of 2796 2244 cmd.exe iepv.exe PID 2244 wrote to memory of 2856 2244 cmd.exe ChromePass.exe PID 2244 wrote to memory of 2856 2244 cmd.exe ChromePass.exe PID 2244 wrote to memory of 2856 2244 cmd.exe ChromePass.exe PID 2244 wrote to memory of 3804 2244 cmd.exe ChromeHistoryView.exe PID 2244 wrote to memory of 3804 2244 cmd.exe ChromeHistoryView.exe PID 2244 wrote to memory of 3804 2244 cmd.exe ChromeHistoryView.exe PID 2244 wrote to memory of 4396 2244 cmd.exe BrowsingHistoryView.exe PID 2244 wrote to memory of 4396 2244 cmd.exe BrowsingHistoryView.exe PID 2244 wrote to memory of 4396 2244 cmd.exe BrowsingHistoryView.exe PID 2244 wrote to memory of 3228 2244 cmd.exe PING.EXE PID 2244 wrote to memory of 3228 2244 cmd.exe PING.EXE
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exeWebBrowserPassView.exe /stext WebBrowserPassView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:3492
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exeSkypeLogView.exe /stext SkypeLogView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exeRouterPassView.exe /stext RouterPassView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exepspv.exe /stext pspv_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exePasswordFox.exe /stext PasswordFox_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exeOperaPassView.exe /stext OperaPassView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:3716
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exemspass.exe /stext mspass_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exemailpv.exe /stext mailpv_11102024_GMTYKXRU_Admin.txt2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exeiepv.exe /stext iepv_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exeChromePass.exe /stext ChromePass_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exeChromeHistoryView.exe /stext ChromeHistoryView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exeBrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_GMTYKXRU_Admin.txt2⤵
- System Location Discovery: System Language Discovery
PID:4396
-
-
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_GMTYKXRU_Admin.txt
Filesize2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84