bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roblox.exe
Size

10.7MB
MD5

6898eace70e2da82f257bc78cb081b2f
SHA1

5ac5ed21436d8b4c59c0b62836d531844c571d6d
SHA256

bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23
SHA512

ca719707417a095fe092837e870aefc7e8874ef351e27b5b41e40f46a9e2f6cb2ba915858bc3c99a14c2f1288c71c7ddd9c2adee6588d6b43cd3ba276e1585d2
SSDEEP

196608:EXJw5XZ54Gu3tLvKixbJ5qtWwgbBnNUm1ae30eL3h8g3SGXm4iF+gPa:Gy3RCBKixdoYwgNNp1IeSQSGWpFj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	stub.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	roblox.exe
2904	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2904	1044	roblox.exe	29
PID 1044 wrote to memory of 2904	1044	roblox.exe	29
PID 1044 wrote to memory of 2904	1044	roblox.exe	29

C:\Users\Admin\AppData\Local\Temp\roblox.exe
"C:\Users\Admin\AppData\Local\Temp\roblox.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\onefile_1044_133789920703918000\stub.exe
  C:\Users\Admin\AppData\Local\Temp\roblox.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1044_133789920703918000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1044_133789920703918000\stub.exe

Filesize
16.1MB

MD5
d09a400f60c7a298e884f90539e9c72f

SHA1
41582ba130bef907e24f87534e7a0fdd37025101

SHA256
700962aa295e2fa207ff522e2f5ca051a2929eb6f252d42c9cb0a56a4f084bfe

SHA512
d8ba2859bb2ea109c1ca33cb924e40bf61db79aefb59324101d9f47a08835d86834790d3bc6bad4151a561ef82265b32d5111bc80f95dce769c5eb4da5116cc9

Download Submit
memory/1044-75-0x000000013F7A0000-0x0000000140272000-memory.dmp

Filesize
10.8MB

Download
memory/2904-40-0x000000013FC50000-0x0000000140CB9000-memory.dmp

Filesize
16.4MB

Download