Overview

overview

8

Static

static

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    82s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    31/01/2023, 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    34d6da080af6ae29247f06bcae9292c5

  • SHA1

    6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

  • SHA256

    ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

  • SHA512

    c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

  • SSDEEP

    49152:7EDwfYZf+r0RFD3zjTVTocahQ5MOTeZM2PMQ3d2HST6b6fz:PYZzR53zjG8bGz

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=5d405edfb1976b7e4d3f1f67b16302c21e7e5766 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d4,0x6a32f4,0x6a3304,0x6a3314
      2⤵
        PID:748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      1KB

      MD5

      7e25f6fb89e5e90a0332072faad895a0

      SHA1

      da862e41af5f2ad287c45ba85dabbbd034b01b43

      SHA256

      b7e8aaa4b720c9846e65216dad5d59af4671e151c2db9ca1e81d490f23f537a3

      SHA512

      1ae3a7e83612bfc1337c7de63446806746b4546055869434622f5a544f80bd7d3a21a8d84cad1a15190c545336c8c150bd043cfcf536a2857673a69f244cff93

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      1KB

      MD5

      a520780c10dcf687a0351a014dd6b18b

      SHA1

      813ae9c32e609938ccff83055a873a8db17dbbac

      SHA256

      5f69b3ad24713f80a24cd24e8fb7727324bf05c077d47720b3e1c0c199e7e257

      SHA512

      441bd58004a41d7600c873126dc1fda0894d059579096a9a0dfa320d18e89979e8b1403ee349702f3b9c837efe49a83fc41c68961e7598c622bcf3e24af4b234

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5
      Filesize

      1KB

      MD5

      a642f3f78f39f6b37d8c9c34c4fb4fa1

      SHA1

      9a5e9d9118ea8c5293e4dc68fdbdc3718fb86c6e

      SHA256

      258c29336dfc4fedf9fe1164301ce890a27168549918f391c151050b273593ba

      SHA512

      2eb48b7f13274e7713b42c3a6c2895ff50f1d7e2f4cf6c0b5d3d0c2351e748153c5296a5e5f31c279e67984779fef767f20d27e0fc80bcf2f1cfd5d088176100

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      2f781719b89fd318a854a3f619129c30

      SHA1

      1168fa63d02ae764755e8f3513e91055f6222c28

      SHA256

      44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

      SHA512

      0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      49b35385007491f806f1b407b6756246

      SHA1

      9a574c43125a0bbcaf4d9659285c82076991d975

      SHA256

      f0d3cb2279c5afe45a8d2732e5a3f8b375aa1cf3da29cb8dc5572116741d46a4

      SHA512

      a5f61719e835877ac77e3db2635bc87f30377001db4552c5f4795702e0a7278573f9bcc5de201980a72c42e403f3839d90d55a86b6f6e50e0553c03f519e13ce

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      474B

      MD5

      c3b8596e15fb164e76165ade6a33f02a

      SHA1

      b7148c8cd53b9b40e8a5247d5503550c03fb5d7a

      SHA256

      d7ba78dc5050e8cab6ea576458d68c5bdd2b87ee72a354184d6121bec4aa5b9f

      SHA512

      0622ae73f7b88fd2006c6fbe73517ca2c4cf5de873bd65c00f99b1c8e74101841cfcc1c938f7822cea6735696a024256ce3e6109c3087c1f9988205340db3e5e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      b6a352e89c492c8564dff4f8afa54b21

      SHA1

      859519055ea9a023af928f3c7438bb221ffa1dbf

      SHA256

      2baf3b1b4ed31a77c0fed511c41ae706767facddb3ab7126717337a758b32fba

      SHA512

      10ee2d9f59bc4e1015b42f9a2cfeb3528456d78dab6f7bd6d7524a52ae72b35f1f2015b2c53c4eb1382d6ddba01906fe6a1a2763025e892a819359d3afe9e92c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5
      Filesize

      474B

      MD5

      776c7e808d2700bac0fd026c9066ae35

      SHA1

      ea04298f0ce1fba13422407093d2ac775a291e22

      SHA256

      ee606ca235c13fbaf1424a55018d7d74014bc61df27e94ec62f6d730aee40abc

      SHA512

      b02e78a4dbe705441d170b5ef5b07eee79e9d4df2d66bef12a18128099639820f6a16f4717e667127bfe21981f6b3f8d8340bad7d1e32f204ed823dba2cc697a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      4ab7ba6508143b09a00b6ae819ee1a9d

      SHA1

      8443407bcfbf5846d891f696e07a760553f5f10b

      SHA256

      259548367e0e6e0a84314e1778f3b8c1996b7dd84e003cd78c57646134ac3fe9

      SHA512

      ecd94b9c3806f076681f615888643ae6798c842c25b6077378ced3c6cb15fefb541f011c304b25f4cce58b62aa1e82060d5e0a6e29eca1dc7fd227155409f459

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PFZC0YBM\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      8535124841e1fa6d3e82fd30dba847ea

      SHA1

      55873ac0bd7f2282f0c1867ecc87982495edb605

      SHA256

      fab5a3b7d13d4275244d736f813649b12934fc4229bf4ce6883170d362f2cc52

      SHA512

      6dd909fcd2b0b9b08562e97c8de59bf3e3f92fe35650b581b54dd3eacaecc118ea738aec5bc2763eaa15e6fa339bad28fc7d3159fc8176e579c17c60ff91f539

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      253e7a6117665ac4a3d10b339934b13a

      SHA1

      d03e06194cdb1063bd5d5dd4fda87710a66156e2

      SHA256

      7e5ae33488d33a5dbf90cc4f7bc6f387847c7c24694e5c9ed7c40d86428ff39a

      SHA512

      ff69af41d15d48316116939655abf50b368ae10585e0c786242f9e4442dc8224f2f0b490ca542f06bff2ad921ce6ce7db8ccd7902242261397d4906252702314

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\49PW3KK2.txt
      Filesize

      67B

      MD5

      cf295d810a0888026b7cdd93a640849b

      SHA1

      6ab5ab69283a3ccdedbc329912ad88bbad46a73a

      SHA256

      abc5592a659129098db156912eef2db78c93fd712b43f148c61f4771519d84c5

      SHA512

      e913f91109087add9a24550b796194cf895b8e4eb5cbd5ff3df047d6fae801499fa63d7b6fc2b986c1f7e03b410d0b7c98ad5166a5573764527f4f257447d94f

      Download Submit

    • \Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
      Filesize

      2.0MB

      MD5

      322ad896786eea9f94746287710f78bb

      SHA1

      7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

      SHA256

      835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

      SHA512

      e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

      Download Submit

    • \Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
      Filesize

      2.0MB

      MD5

      322ad896786eea9f94746287710f78bb

      SHA1

      7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

      SHA256

      835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

      SHA512

      e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

      Download Submit

    • \Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
      Filesize

      2.0MB

      MD5

      322ad896786eea9f94746287710f78bb

      SHA1

      7cd1e382ca1a8b61df3f2fd7c6307eb549bb7730

      SHA256

      835fe15f0f4e6b78524e1ffa2eb43e117f38e0bc677535636c99e820f54de1a8

      SHA512

      e05c413f17338b4b1bf35e64fb61c2930f30dace0028cf0dae8143bd010f2b58d309aefa1a2d6cc636efef15bdaf0075abc790d55a26dca9f263e79f21d10389

      Download Submit

    • \Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerBeta.exe
      Filesize

      57.5MB

      MD5

      ccac7596d7a99ec3cf796b286378e5e0

      SHA1

      e1967831b8472ba519c81e425bdcff10098cd208

      SHA256

      b720401158d02a6eaf8548df938192f4e9700e2844bfde64257413644b7a4d27

      SHA512

      d889713d868173a66317a2ec10d20c1fd2bd2a90ab5c7436eb82978ccc75faafc78aeecaac8ba00ff8f563ec4ae1b6245ac0679421f2f9957b6c71fb505ab905

      Download Submit

    • \Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerBeta.exe
      Filesize

      57.5MB

      MD5

      ccac7596d7a99ec3cf796b286378e5e0

      SHA1

      e1967831b8472ba519c81e425bdcff10098cd208

      SHA256

      b720401158d02a6eaf8548df938192f4e9700e2844bfde64257413644b7a4d27

      SHA512

      d889713d868173a66317a2ec10d20c1fd2bd2a90ab5c7436eb82978ccc75faafc78aeecaac8ba00ff8f563ec4ae1b6245ac0679421f2f9957b6c71fb505ab905

      Download Submit

    • \Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • \Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • \Program Files (x86)\Roblox\Versions\version-41dcbd77dbcf416f\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • memory/832-54-0x0000000075831000-0x0000000075833000-memory.dmp

      Filesize

      8KB

      Download