10d68e96b17fe89e1672bb3df965728067c38107ea3c988dbf0210248fc4d1e6

Resubmissions

12-01-2025 15:47

250112-s792aaykcy 10

12-01-2025 14:03

250112-rcpw7avncy 10

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox HWD/Scripts.py
Size

12KB
MD5

c559ad84688d4b3550b8efbaa58418a8
SHA1

1daa2ca0f301ee28c7e9c3d0c596592bad077701
SHA256

1e62746213938c3be93de2853c853db1b465a86f4f6756ed25a9330620c82a11
SHA512

1af2cf37326cb8571a07cac511b1b5fd0784741062fb4ea84211ec1e13fbd2a7f4154ee3071c9ec5cc043392e6eecb37f08ad20617f6668a36246bba82713a24
SSDEEP

48:G22222222222222222222222222222222222222222222222222222222222222n:2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2744	AcroRd32.exe
2744	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1884	2280	cmd.exe	31
PID 2280 wrote to memory of 1884	2280	cmd.exe	31
PID 2280 wrote to memory of 1884	2280	cmd.exe	31
PID 1884 wrote to memory of 2744	1884	rundll32.exe	33
PID 1884 wrote to memory of 2744	1884	rundll32.exe	33
PID 1884 wrote to memory of 2744	1884	rundll32.exe	33
PID 1884 wrote to memory of 2744	1884	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Roblox HWD\Scripts.py"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Roblox HWD\Scripts.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox HWD\Scripts.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
09de16ee38f64d15b66e7d835b311670

SHA1
679bd93ca07d99c07ce5d60bee47cc733f216565

SHA256
96a365e4b64192c6f3fbdf7d15647c5263d50f3847c91982ced49c14bbb901e3

SHA512
515de5a30cdea61ca8f18856ef4bbfeff38e87c57c379cdfcbf86de64be153aba40d79c984dd1d510b614689eaf2ac99df8adff7aaa7ff99e8a1521591485434

Download Submit