Overview

overview

8

Static

static

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2023 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    34d6da080af6ae29247f06bcae9292c5

  • SHA1

    6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

  • SHA256

    ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

  • SHA512

    c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

  • SSDEEP

    49152:7EDwfYZf+r0RFD3zjTVTocahQ5MOTeZM2PMQ3d2HST6b6fz:PYZzR53zjG8bGz

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=5d405edfb1976b7e4d3f1f67b16302c21e7e5766 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7a8,0x7ac,0x7b0,0x6b0,0x78c,0x7932f4,0x793304,0x793314
      2⤵
        PID:1312

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      1KB

      MD5

      7e25f6fb89e5e90a0332072faad895a0

      SHA1

      da862e41af5f2ad287c45ba85dabbbd034b01b43

      SHA256

      b7e8aaa4b720c9846e65216dad5d59af4671e151c2db9ca1e81d490f23f537a3

      SHA512

      1ae3a7e83612bfc1337c7de63446806746b4546055869434622f5a544f80bd7d3a21a8d84cad1a15190c545336c8c150bd043cfcf536a2857673a69f244cff93

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      1KB

      MD5

      a520780c10dcf687a0351a014dd6b18b

      SHA1

      813ae9c32e609938ccff83055a873a8db17dbbac

      SHA256

      5f69b3ad24713f80a24cd24e8fb7727324bf05c077d47720b3e1c0c199e7e257

      SHA512

      441bd58004a41d7600c873126dc1fda0894d059579096a9a0dfa320d18e89979e8b1403ee349702f3b9c837efe49a83fc41c68961e7598c622bcf3e24af4b234

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      2f781719b89fd318a854a3f619129c30

      SHA1

      1168fa63d02ae764755e8f3513e91055f6222c28

      SHA256

      44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

      SHA512

      0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      a7edffd431e31c158a279ea839215825

      SHA1

      1b5531060eb057fe1a2f59fd26aaf426c1a02dbb

      SHA256

      729e1753f9a3b154bc490880810549581534095fc109e2f3d405b50dffd28836

      SHA512

      ac00760a12d07a61a1bf0c002e4392498a364123722b4ea05f393548c26b58e0e40beee507c0a8910cea82ac5dcc8cdc1decb39b7c41618f8ee486b0e4df5847

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      474B

      MD5

      1ed5592da620f0b92614d383de7908db

      SHA1

      74c8189ed48a0a76380c18f8504c61f54f889a7d

      SHA256

      8039c6bc24e82bd3549b702a89f4fc40e2e198e24afd30b087642e0964258b47

      SHA512

      6ad4b4978a33e867ff6144f3d111d67330fd0ae74bd18df2fba0cf32149b0393e50e98f030475c5b89bf25c34899f79df208bb01176d252328088a1cd647416c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      ecb3d344f585f4cfb03416f6cc11c4cd

      SHA1

      6a13f6c850c9f04492a4175a498c93b66a78e498

      SHA256

      549b3200664d78c1150dd417466162f055f86dd4a11abe50298d943251376efd

      SHA512

      216528f22b590087f0c0c6e3e86e27485c3db7b5680e39d4c2c098714e9a77331189be23d9bcd838036f337d1374e98b7fca11cbbeccfff22470b23cbd99dff4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      8535124841e1fa6d3e82fd30dba847ea

      SHA1

      55873ac0bd7f2282f0c1867ecc87982495edb605

      SHA256

      fab5a3b7d13d4275244d736f813649b12934fc4229bf4ce6883170d362f2cc52

      SHA512

      6dd909fcd2b0b9b08562e97c8de59bf3e3f92fe35650b581b54dd3eacaecc118ea738aec5bc2763eaa15e6fa339bad28fc7d3159fc8176e579c17c60ff91f539

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      2ae0f4a050b812bb2b3eaff0c288a613

      SHA1

      d9224dadafbb4564ede2b0d606354ec0a0385f77

      SHA256

      12e238c9248254247814fe9de37935d86627771cf3d82b1cd305284ac28c58aa

      SHA512

      b67dc7eca9fcddd06a753ce10b2d39c1ccccac99117b263092de385ac5abd3aabdc7e25502aca10cf86fc657979057ddb584423c56dcebea72365e7b9df4661d

      Download Submit