Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
Roblox Exe...nu.dll
windows7-x64
1Roblox Exe...nu.dll
windows10-2004-x64
1Roblox Exe...nk.dll
windows7-x64
1Roblox Exe...nk.dll
windows10-2004-x64
1Roblox Exe...or.exe
windows7-x64
10Roblox Exe...or.exe
windows10-2004-x64
10Roblox Exe...up.dll
windows7-x64
1Roblox Exe...up.dll
windows10-2004-x64
1Roblox Exe...her.js
windows7-x64
1Roblox Exe...her.js
windows10-2004-x64
1Roblox Exe...x.html
windows7-x64
1Roblox Exe...x.html
windows10-2004-x64
1Roblox Exe...ent.js
windows7-x64
1Roblox Exe...ent.js
windows10-2004-x64
1Roblox Exe...ent.js
windows7-x64
1Roblox Exe...ent.js
windows10-2004-x64
1Roblox Exe...ris.js
windows7-x64
1Roblox Exe...ris.js
windows10-2004-x64
1Roblox Exe...x.html
windows7-x64
1Roblox Exe...x.html
windows10-2004-x64
1Roblox Exe...nit.js
windows7-x64
1Roblox Exe...nit.js
windows10-2004-x64
1Roblox Exe...ins.js
windows7-x64
1Roblox Exe...ins.js
windows10-2004-x64
1Roblox Exe...ant.js
windows7-x64
1Roblox Exe...ant.js
windows10-2004-x64
1Roblox Exe...ion.js
windows7-x64
1Roblox Exe...ion.js
windows10-2004-x64
1Roblox Exe...s.json
windows7-x64
3Roblox Exe...s.json
windows10-2004-x64
3Roblox Exe...ic.cfg
windows7-x64
3Roblox Exe...ic.cfg
windows10-2004-x64
3Analysis
-
max time kernel
211s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Roblox Executor/Colorful.Menu.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Roblox Executor/Colorful.Menu.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Roblox Executor/DirectInk.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
Roblox Executor/DirectInk.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Roblox Executor/Injector.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
Roblox Executor/Injector.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Roblox Executor/Setup.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Roblox Executor/Setup.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
Roblox Executor/WebResources/Resource0/app1/dc-app-launcher.js
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
Roblox Executor/WebResources/Resource0/app1/dc-app-launcher.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
Roblox Executor/WebResources/Resource0/app1/index.html
Resource
win7-20220901-en
Behavioral task
behavioral12
Sample
Roblox Executor/WebResources/Resource0/app1/index.html
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
Roblox Executor/WebResources/Resource0/appmeasurement/prod/appmeasurement.js
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
Roblox Executor/WebResources/Resource0/appmeasurement/prod/appmeasurement.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
Roblox Executor/WebResources/Resource0/appmeasurement/stage/appmeasurement.js
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
Roblox Executor/WebResources/Resource0/appmeasurement/stage/appmeasurement.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral17
Sample
Roblox Executor/WebResources/Resource0/base_uris.js
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
Roblox Executor/WebResources/Resource0/base_uris.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral19
Sample
Roblox Executor/WebResources/Resource0/index.html
Resource
win7-20220901-en
Behavioral task
behavioral20
Sample
Roblox Executor/WebResources/Resource0/index.html
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
Roblox Executor/WebResources/Resource0/init.js
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
Roblox Executor/WebResources/Resource0/init.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral23
Sample
Roblox Executor/WebResources/Resource0/plugins.js
Resource
win7-20220901-en
Behavioral task
behavioral24
Sample
Roblox Executor/WebResources/Resource0/plugins.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
Roblox Executor/WebResources/Resource0/variant.js
Resource
win7-20220901-en
Behavioral task
behavioral26
Sample
Roblox Executor/WebResources/Resource0/variant.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
Roblox Executor/WebResources/Resource0/version.js
Resource
win7-20220901-en
Behavioral task
behavioral28
Sample
Roblox Executor/WebResources/Resource0/version.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
Roblox Executor/config/oreexcavation_shapes.json
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
Roblox Executor/config/oreexcavation_shapes.json
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
Roblox Executor/config/rustic.cfg
Resource
win7-20220901-en
Behavioral task
behavioral32
Sample
Roblox Executor/config/rustic.cfg
Resource
win10v2004-20220901-en
General
-
Target
Roblox Executor/Injector.exe
-
Size
2.6MB
-
MD5
0c94ffa43eda8dbb9d4213d63f96dec9
-
SHA1
8b4c7361470e331a3edf9ef94aff20facff342c2
-
SHA256
6686e809c825c1f19b849e66e542f673c477832f2ab37b033d840e44ac82277a
-
SHA512
2909a71b1cf2eb8df9d094067829b1b5910a5deb6c97bddfbc84b32be8f16b4a8e49560487cbaeaf29b4c078a6c28302a6518b23d08f1835d832854162d8ca15
-
SSDEEP
49152:FEbIpbiqzH1bjD0nSRtcqCygeAVfyJ3il30:FMIpbiqzJjeSI5ZrfyJ3X
Malware Config
Extracted
redline
@watashiwokorose
77.73.133.19:31892
-
auth_value
45f131fc4fd6dd7d4b2f3e957f83960d
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral5/memory/98424-56-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral5/memory/98424-63-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral5/memory/98424-62-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral5/memory/98424-61-0x000000000042214A-mapping.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 98824 fl.exe -
Loads dropped DLL 2 IoCs
pid Process 98424 AppLaunch.exe 98424 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1628 set thread context of 98424 1628 Injector.exe 29 PID 98824 set thread context of 100184 98824 fl.exe 33 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 98424 AppLaunch.exe 98424 AppLaunch.exe 100184 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 98424 AppLaunch.exe Token: SeDebugPrivilege 100184 AppLaunch.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 1628 wrote to memory of 98424 1628 Injector.exe 29 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98424 wrote to memory of 98824 98424 AppLaunch.exe 31 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33 PID 98824 wrote to memory of 100184 98824 fl.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Executor\Injector.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Executor\Injector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:98424 -
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:98824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100184
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5681503845aa49b8b7a3425508cb32dd7
SHA160c74d61e5ae32e8bb7f8180318b76a4f2695069
SHA2560efba85b07354c1f9d55fa4b4a91194111ada55f9bf30cee718db1fe1f26939e
SHA512d48ce0d4b93eb5fc9aa9c1a8039bdd23d0cadc4841adf966a1e86b280c7c0001c489d99eb5062305399e2a4c37af7b785bf7ac7bacf0c74ef5e5887749ba7ef6
-
Filesize
1.4MB
MD5681503845aa49b8b7a3425508cb32dd7
SHA160c74d61e5ae32e8bb7f8180318b76a4f2695069
SHA2560efba85b07354c1f9d55fa4b4a91194111ada55f9bf30cee718db1fe1f26939e
SHA512d48ce0d4b93eb5fc9aa9c1a8039bdd23d0cadc4841adf966a1e86b280c7c0001c489d99eb5062305399e2a4c37af7b785bf7ac7bacf0c74ef5e5887749ba7ef6
-
Filesize
1.4MB
MD5681503845aa49b8b7a3425508cb32dd7
SHA160c74d61e5ae32e8bb7f8180318b76a4f2695069
SHA2560efba85b07354c1f9d55fa4b4a91194111ada55f9bf30cee718db1fe1f26939e
SHA512d48ce0d4b93eb5fc9aa9c1a8039bdd23d0cadc4841adf966a1e86b280c7c0001c489d99eb5062305399e2a4c37af7b785bf7ac7bacf0c74ef5e5887749ba7ef6