Malware Analysis Report

2024-11-15 09:54

Sample ID 241110-ejmzyszara
Target New folder (4).rar
SHA256 7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3
Tags
discovery spyware stealer upx collection
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3

Threat Level: Likely malicious

The file New folder (4).rar was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer upx collection

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:58

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

140s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Network

Files

memory/3536-0-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3536-1-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2244 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2244 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2244 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2244 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2244 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2244 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2244 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2244 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2244 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2244 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2244 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2244 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2244 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2244 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2244 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2244 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2244 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2244 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2244 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2244 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2244 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2244 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2244 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2244 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2244 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2244 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2244 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2244 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2244 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2244 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2244 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2244 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2244 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2244 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2244 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2244 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2244 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

WebBrowserPassView.exe /stext WebBrowserPassView_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

SkypeLogView.exe /stext SkypeLogView_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

RouterPassView.exe /stext RouterPassView_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

pspv.exe /stext pspv_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

PasswordFox.exe /stext PasswordFox_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

OperaPassView.exe /stext OperaPassView_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

mspass.exe /stext mspass_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

mailpv.exe /stext mailpv_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

iepv.exe /stext iepv_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

ChromePass.exe /stext ChromePass_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

ChromeHistoryView.exe /stext ChromeHistoryView_11102024_GMTYKXRU_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_GMTYKXRU_Admin.txt

C:\Windows\system32\PING.EXE

ping -n 5 127.0.0.1

Network

Files

memory/3156-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1176-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1176-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3716-8-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_GMTYKXRU_Admin.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3156-11-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3716-2-0x0000000000400000-0x0000000000419000-memory.dmp

memory/384-12-0x0000000000400000-0x0000000000426000-memory.dmp

memory/384-13-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2796-14-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2796-15-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3804-17-0x0000000000400000-0x000000000044F000-memory.dmp

memory/3804-19-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241023-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Network

Files

memory/4836-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4836-1-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3204-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3204-1-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3204-2-0x0000000000400000-0x0000000000452000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

140s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Network

Files

memory/4628-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4628-1-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Signatures

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

91s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4368-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/4368-1-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 04:01

Platform

win11-20241007-en

Max time kernel

140s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Network

Files

memory/2440-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2440-1-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:58

Reported

2024-11-10 03:59

Platform

win11-20241007-en

Max time kernel

15s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Network

N/A

Files

N/A