55337dd9224f9000e7cd253bb5a203613c9e8c176b9403ff2d4a784cfd214a1c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Hotmail Checker v1.3.1.rar
Size

3KB
MD5

0b03ad0787e24510d1457a89422226f6
SHA1

37ca2b07c3894e6eb2338bb2bd0866a11bb1e90b
SHA256

55337dd9224f9000e7cd253bb5a203613c9e8c176b9403ff2d4a784cfd214a1c
SHA512

c99536671c9f008471a6068d4eb260d375f0c0f07932f2e95c6b47dc68f92c6fca2426593f08e57da44c489f1e24151d150daad22bfd032f06a163fda981665b

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3032	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2060	7zFM.exe
Token: 35	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe
Token: SeSecurityPrivilege	2060	7zFM.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe
2060	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3056	AcroRd32.exe
3056	AcroRd32.exe
1672	AcroRd32.exe
1672	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3032	2060	7zFM.exe	31
PID 2060 wrote to memory of 3032	2060	7zFM.exe	31
PID 2060 wrote to memory of 3032	2060	7zFM.exe	31
PID 2060 wrote to memory of 2820	2060	7zFM.exe	32
PID 2060 wrote to memory of 2820	2060	7zFM.exe	32
PID 2060 wrote to memory of 2820	2060	7zFM.exe	32
PID 2060 wrote to memory of 2820	2060	7zFM.exe	32
PID 2060 wrote to memory of 2820	2060	7zFM.exe	32
PID 2060 wrote to memory of 2900	2060	7zFM.exe	34
PID 2060 wrote to memory of 2900	2060	7zFM.exe	34
PID 2060 wrote to memory of 2900	2060	7zFM.exe	34
PID 2060 wrote to memory of 2900	2060	7zFM.exe	34
PID 2060 wrote to memory of 2900	2060	7zFM.exe	34
PID 2060 wrote to memory of 2628	2060	7zFM.exe	36
PID 2060 wrote to memory of 2628	2060	7zFM.exe	36
PID 2060 wrote to memory of 2628	2060	7zFM.exe	36
PID 2060 wrote to memory of 2156	2060	7zFM.exe	37
PID 2060 wrote to memory of 2156	2060	7zFM.exe	37
PID 2060 wrote to memory of 2156	2060	7zFM.exe	37
PID 2156 wrote to memory of 3056	2156	rundll32.exe	38
PID 2156 wrote to memory of 3056	2156	rundll32.exe	38
PID 2156 wrote to memory of 3056	2156	rundll32.exe	38
PID 2156 wrote to memory of 3056	2156	rundll32.exe	38
PID 2060 wrote to memory of 2928	2060	7zFM.exe	40
PID 2060 wrote to memory of 2928	2060	7zFM.exe	40
PID 2060 wrote to memory of 2928	2060	7zFM.exe	40
PID 2060 wrote to memory of 2928	2060	7zFM.exe	40
PID 2060 wrote to memory of 2928	2060	7zFM.exe	40
PID 2060 wrote to memory of 1672	2060	7zFM.exe	42
PID 2060 wrote to memory of 1672	2060	7zFM.exe	42
PID 2060 wrote to memory of 1672	2060	7zFM.exe	42
PID 2060 wrote to memory of 1672	2060	7zFM.exe	42

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox Hotmail Checker v1.3.1.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC08E3127\combos.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3032
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC08790C7\install packages.bat" "
  2⤵
  PID:2820
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC080CDC7\install packages.bat" "
  2⤵
  PID:2900
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC085DF78\package.json
  2⤵
  - Modifies registry class
  PID:2628
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC0853248\package.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC0853248\package.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3056
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC08D5FA8\install packages.bat" "
  2⤵
  PID:2928
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC08699B8\package.json"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC0853248\package.json

Filesize
441B

MD5
8b51196db01a3f2d2e046878e2b17e0b

SHA1
1f778164dfd6c825777864d81cab25ca9819a0ae

SHA256
293d46719a8d26e8639a4b0870e587c14bf60c5cc3e8aef04fc06a71424696d1

SHA512
23f359d407f3696010150b35023acb7dd4c824d576fb727ba96967f96cd2d9a5d6a23e5a687622044639b448685caeffa6b2c999bd21ea42f1729ccf36f64143

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC08790C7\install packages.bat

Filesize
11B

MD5
d53119ba0bc09eb2a1dac8ee89c2cae2

SHA1
494b8cb7fb2fb65b62f0576568965dcb777a6103

SHA256
3a2dc0ae21eb56d78a0eb6bbd0f4512da04f9f94f6ee6c6a338c3e4cb1a8ff91

SHA512
69619c8c2cc379826db2b65011948e022b335d91d7ceb23152056b5c547033fc617e18a2d26d1bcb79493b9b7874ac15e24eeb5d3652b92da43678d4a2f58690

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d103feb2f27ef274aac9e70afd067626

SHA1
8951aed067d72abfca79475b2956a7bc32a404b1

SHA256
07ace4223a5cb4774f7bde408c51eba930928b86b0959477d1b8b986763c351e

SHA512
576401d6cb36766a9a7b7979809107288883925f5196e0189ed62d13f1352713efb04e9cd4e91a10dbdfc102733c696ec214648eb08124eaef265184d76f4909

Download Submit