Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
01-10-2022 11:47
General
-
Target
https://ro.blox.com/Ebh5?pid=share&is_retargeting=true&af_dp=roblox%3A%2F%2Fnavigation%2Fgame_details%3FgameId%3D3701795391&af_web_dp=https%3A%2F%2Fwww.roblox.com%2Fgames%2F10064361907
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 56 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ro.blox.com/Ebh5?pid=share&is_retargeting=true&af_dp=roblox%3A%2F%2Fnavigation%2Fgame_details%3FgameId%3D3701795391&af_web_dp=https%3A%2F%2Fwww.roblox.com%2Fgames%2F100643619071⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c34f50,0x7fef6c34f60,0x7fef6c34f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1108 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3328 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=932,17132451135497178441,15377836625591639527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:82⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5c37caff982b12eb129a2de1e75d724bc
SHA1b5edeea9591c9be2013790ef3bd877b8819ee0c7
SHA2564505b9febf6bce99f403bf3a4c01f013ac38cc20ddfd03936cf0ab58d2705ab7
SHA5123094a87766700b24cee84ce50a821f6311e8332e5f48bd13931cf18f7f66133b77df28d8ca22582e5a4f1c15173bdcb5142fa6914c4f642f52b41725d8b4bbb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD55a11c6099b9e5808dfb08c5c9570c92f
SHA1e5dc219641146d1839557973f348037fa589fd18
SHA25691291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172
SHA512c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C89A7CE86B947A5BDDEC66331470004AFilesize
471B
MD52601db85aa6894ea41f37fc0c1f2594a
SHA1afc9de950cf648d720a78467582b26346b8d53bc
SHA2563211c5c61098100152ea682c86ec84f3a80229b8d709e5cbe0022caba7dc9e24
SHA512b85beb796e92ea471bdccbc18a4c70c252070952fe3dde2ca090089768686eb780695302a032191db4c7062646fae0ace6716be043b39c4b4bd7e0f5ddd078dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD58fd783ba6a50e092046e2b471d633a90
SHA1437481b5d4a76b26d9c6375360313924098e48ec
SHA25625fc0cda47ec78c110587593286ac255d5e2304b691433084db3091e3e6b4146
SHA5123ce5ed16b370f0e136ded92d0ae1e23296e63a81cc1a06c4c8a5553ec30084920099d22373536d07be7a83775b96d978c8e798b327a893c93d7d20985091b6a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5ce6f3353eb1c3a27237728a81cc3fb92
SHA1e2b33ea5eedc5d27b74227beb0678d021b8e43f4
SHA2563ea3d34d65931827ca393090a53f2863009e367fc25945f3245c477f389c6acc
SHA512fe42a8d4ebfb415e8f20484fd7e752954c8f64f1e5f47323e4b1434d983897ec0238da567ca453cecbf368336b59fb246241d751d3994cb24df3b0c4cfdedb30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD53432a84383583d755d8c6508eda528d9
SHA1958244d4fdda69ff5a3aefcb6baca0996c2789da
SHA25626b6f17ab14c9f8e42a513cb362eb05cbb6f2da264efb2c998190e43b485e9b7
SHA51210e9d0016a4bb5bf3b7c1793daaa0a7bc261d29aa0c7781fbae4a7f8c13fa9df0cf1509d7149e9c26623d83b8282df5855b4f611fe4ad106a005b5005e9558db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD5e05da0d6c0562e6087438eec0f6e8335
SHA1bacde1cf78fac06ac41784116b7d29782961db7a
SHA2569f5b34f922fe09a749d90d6a8a10cedf3d9edb706a2153437c51b07483c8e232
SHA5125e4ddd8e7a65293c72042cd68972ddcbe6da3d10497a1f2d722d09e22d2e3b9861ebe84fa1c721b9a23cab05e0f02806bbabdda7c37e8582980c97784a347fdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5668fdaee2fa5b42c9c01cdb12e3b0e52
SHA1d1701ee87c0773dcf845e9b2d25e51ef63adfd4d
SHA256e10f76c8dfe5d1284bb1acf0ad845dafa31a9d1bc18594017b0b3976f1590ec9
SHA51207c3eb21c43d047920a1d477c95f50f10e16a20f43de29c9ab5e5053ca5d4e727a6920044aef803a50f84962e4a580cb6c25077798677aa696eeeaf10a2a6a46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5cf50cfdb0355c7cd4f7c8ae6fa6ab54e
SHA172f1ebac84ac0f9228cdff10463a4bd3550dae02
SHA256d7addbbe1fa9bf51fc011eeffe127060f5e11adedf842d9ff0335aaad2cbdfb2
SHA51265245156646ab54a6736ec23899826ad7dd2f0c9c766ea6152f80b248c2af82bc4cbba0a6d59af31fe9b7f2893b05ee17697e4458ebf11a46b768414d9b4f453
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C89A7CE86B947A5BDDEC66331470004AFilesize
406B
MD5860571a3a8d6b8f1dd038c2de473ffa1
SHA1f892e607f1c43160404ec91d2ca3adde23762cf7
SHA2560cde047bab88976112a354ad723c8cfa927bd81fc309c65d8a3ab06e24a8f870
SHA5127f7c07b87cf6633adb9c76aff58b17a36e383d526ca207d6a8266c0ff67c719edc034ba1408748cdc4b4dae8b6211dc28dc0c2170d2d455cea204cc86590c33b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.datFilesize
8KB
MD54ef1d7e055cd44cdce7f4dc6885f7990
SHA116949545156ba3fb19a3066b0fbe5880944c3ed9
SHA2562ff7a0b9187cd1acfcf44e2d75e08f713b0962a729bd4a327254dbf7a33d9e12
SHA5125f1ba6ea1d099ddf1925d70aaa95b794e7d410206104263ac1a823e4be2cf79073306ec95ffdd3550cc8283400d33ecfc1f632611bec2a253716f1724f31c38e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VXCWF8M0.txtFilesize
608B
MD554df25ff26a2fedc602bf39fc53b0606
SHA1a024ccc026c1317a38eddb43f828ed25662d4b42
SHA256d26a9ee9a3ed50b9343a39b06dfd450ba637b3e8efc199bbe33e9eff4be6ec57
SHA512bcd5f79183eabe61ec63be5376fd2231aad13ee23d3e88e7a7c2abd7b72c1a1632c0de304769e3aa96c8101e8262486f468a5ab4a0b6acd0649ead34cd593180
-
\??\pipe\crashpad_1556_IEVJQMEKHGIMRTPCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e