Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2023, 17:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    c9c37cc5d113277b3851bda9945361f3

  • SHA1

    90ecb64b54b1df08cd75fd10669397c5dd790947

  • SHA256

    219b13ec029b6da2847b67f049c3939136fc7154bc0255356d9aa2c4751393c0

  • SHA512

    71a4a8d35f4a7ba0f815eb86fed61c0a8d5bd258fea3a4dc6de486e0646e4b2f8fda1366ef6b884f2c116f183e6b29acdc2598ff3f9d51897bfd93d9e8448d12

  • SSDEEP

    49152:jBzJhqgJrpi9ZE7K2/Twzakz1p9TnVMfPMQ3d2XLTDb6ga3:HhqAMrE7K1Hbi3

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=96204dbada45ea8122ef24ffac770b61afadbe53 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x46c,0x464,0x7a4,0x79c,0x69c,0xdd332c,0xdd333c,0xdd334c
      2⤵
        PID:4944
      • C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe
          C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=5d405edfb1976b7e4d3f1f67b16302c21e7e5766 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x720,0x724,0x728,0x698,0x730,0xa332f4,0xa33304,0xa33314
          3⤵
          • Executes dropped EXE
          PID:3784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      1KB

      MD5

      29dfe305b4212892ea463b542ffbb23e

      SHA1

      1e8e9f31519b432624bd9ecf4f1122b315c73645

      SHA256

      5de62195d2b48c7a6b05f14d5bcb0f270cabbd38d9081c28039183376ab99966

      SHA512

      005ff52a781fcb191f42e5aa802d13631b79f13f51a912c8b7cc4ad34fe630e30e6ae34b84140d675df660e4502659d3199aedd9f9ef9788ef0b76069cbe84c0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      1KB

      MD5

      c6ff24d9f34ba8eca141f13cae45d0d8

      SHA1

      4385676aa4330f7945bd51b0ff67e28f29d9a460

      SHA256

      ccda2faa1e6c54c7ee710619d7fe52a89c00cade4e4073042b9f6b0e283e0821

      SHA512

      fc164f1dfdf9d6ab01f81689a6a3d96b933187084932cfe883f6956c13325ec56ca0980f844c0eae87ca7b5bf90008c3cd1765bc61f743e22a5753fbc7e8cc4e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      471B

      MD5

      59c7d1c3e315494e116f2c507c82c767

      SHA1

      12a70b21e3d5d6f4aa8b9f06e115754d2ad47de6

      SHA256

      9164088264623e289af26a53f6aae4948e9190885685866c9c7675382406d50c

      SHA512

      a5dafd1fe7527b25a13de644ba43a79e1f2a50aed20f46c8b2b60af9926d08775480fb22f926f903231bf183da016b2dfebb0cc1195505e00b5ab7c84a0f9ac2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
      Filesize

      471B

      MD5

      b93def072383f54ce5000ce4b8ccf928

      SHA1

      2e5498d461734043bb8388e90ace8e0002ed0bd7

      SHA256

      f76fef89e8b688e22a28018a2db8ebebc33d5d42aef85c52c8b27073858aef56

      SHA512

      036c448d11f475abf480b62c377cc164edf7e8c6879f2cce3ea0aa88dd2ba33c3202c7724833bd771f8b4b3fed5ae3e4f95e061327e2469cbf89b04afc981adc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5
      Filesize

      1KB

      MD5

      5e87e77bdca6c963a8117e096d2cb8eb

      SHA1

      b7c3ec23eab572bb5c6702ffc4437dbb651fb624

      SHA256

      b788ed14e0709507bda566742a0675ff1836d24de566f8980056098f1218b683

      SHA512

      2f876066837686e74a8a8fa142f32b13c4e1573740309e3da7eae9d6bab386b4a20cfdccfbacc52dc790927967fb325c140cff0cb12f398d69b7cf52f806618e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      2f781719b89fd318a854a3f619129c30

      SHA1

      1168fa63d02ae764755e8f3513e91055f6222c28

      SHA256

      44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

      SHA512

      0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      2f781719b89fd318a854a3f619129c30

      SHA1

      1168fa63d02ae764755e8f3513e91055f6222c28

      SHA256

      44d1e0330234db53292b070b90299b3a5184d09a05e1a1159cd183435296fa1f

      SHA512

      0b2384a1548aed32c9e0d9acec393520e6d5229b170b73cedeb06415b14e5f17b7e82243581b1b11812a5da2062b3e70ea4ebc899ac0a8a07dde7a178ba8690b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      80128a507e3704405b72e8d08061e244

      SHA1

      03ccf28cfb75a16edfe4131b12501c46b49136a1

      SHA256

      5d1f1b08a02a160753a7d02f4ce8126386b65f6f0c9fd428d15232d371eb81a4

      SHA512

      65cbff20ec486abe91d8e025bf177fe3c382101fe3bce7bdec8b5a8c038d4c5acb4c73c7e9bf02d34502cb342a594729b44e4942eb183d37b256da304fdb6cc0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31A9C487BBB3C199E8D59BE85CDAE127_BF0BDA39B510D85E53F7B2BBE62B01C7
      Filesize

      474B

      MD5

      06e51555dc5bee4f86996518c427e11c

      SHA1

      107f2c9e670590326d158dcada190271926e54e0

      SHA256

      297a4f7db79adb650b8a737af759f743050fac014d70992850a8d7f6d4dee35c

      SHA512

      4e67ab522ac1bb4d0bf2329de936205f08e8bfa1fff4b1dc43935ebfffed4108569f585c26e067f26e0ffa0d1a775acb0c0caa7b2543209858c8f62fab58cb01

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      400B

      MD5

      9b2c2f246af39b9fb3fd9f1152b2b1de

      SHA1

      4fac97e64f5f3790727867b8534b51e7096737ba

      SHA256

      f9dced3ac557c540718a500be77ee97de755eb0a65f19fa94c2e2110f0498881

      SHA512

      ce02a6e27131dfb7f175b2de95d17170e063cfc2833d585725d142f2960f45d8c6a5f4dbb0d9721a87f4a83d12b7c6d7dff741237e8605f98e76d444713855e3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
      Filesize

      404B

      MD5

      7d3d4df751645be1161c7ceab08a8948

      SHA1

      60b66cfb92fe38862479b0ce840fb63b6bce88f5

      SHA256

      28fd03c455c90f2cba7fb516e35b476a328e88dcd786c4acca9d7c78442556e2

      SHA512

      1146c3e768bc59fdfa40127e76c543fe678aba548e8e1547ff95dceaccd015f174a43658b7ab394a542c7dd389693a7a5b05dec75a5d0713a0f79b7f7ce63fb6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D6C5BE853DE9635D928C50863E19CD46_58118CA4A1A343467489A27BC4EE02C5
      Filesize

      474B

      MD5

      2a28def6fa2ac14c83df048dc2849230

      SHA1

      6dbd5d944ac0f7dea7da1856c5e52510751a7d3d

      SHA256

      627e5dc0dd0e99b1c48b8c5bf4d444bcb0b10f7ebf22795acff49f310bbe7946

      SHA512

      03772e490faac1ec24ad0cbdd5e9d32959e24da2d3a003723b5e9171e2f38b791aeefcea1cc9107a6b0422f28a1027b45f1a1e2cdcfb977f422b72b3ae47119b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      666f85b8439a692770dd500d58d98262

      SHA1

      df8d8c9f32737101bee5c7d11f994b2d8d6742e8

      SHA256

      1bab7548f567f01121389842c2c884b90bfd89b93eeeb104dc35f98dad5716b2

      SHA512

      7fc376551270a74cd74c87ea98f358575dada24a2b21083af0219a0526a60a689e098b15eee3480a52c46f814124eb72ad712e0df65ed54742adeb62b9ee2445

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      20607499aaf6a241df9d0088612faa7c

      SHA1

      27022dabce78b581613916c1bb9c2c6271d7fecc

      SHA256

      ad095e8b4110d5b3c4afe1e4eda64e75606b67d18ee2317db466b6d7dafb475a

      SHA512

      103570b2f1d683a430152db4395694de682e101ff2a58c79cf2ca524c8ec13144fdfde1477ea10e2d27d81d17ee7d7a0c6288001c379f97a040dce1d73145179

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      20607499aaf6a241df9d0088612faa7c

      SHA1

      27022dabce78b581613916c1bb9c2c6271d7fecc

      SHA256

      ad095e8b4110d5b3c4afe1e4eda64e75606b67d18ee2317db466b6d7dafb475a

      SHA512

      103570b2f1d683a430152db4395694de682e101ff2a58c79cf2ca524c8ec13144fdfde1477ea10e2d27d81d17ee7d7a0c6288001c379f97a040dce1d73145179

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      1d2e8be2220e67b8f843e8549b550c5d

      SHA1

      79fca6120e881a3a2a3bb9752daa9e52437aa689

      SHA256

      08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

      SHA512

      20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\version-41dcbd77dbcf416f-rbxPkgManifest[1].txt
      Filesize

      1KB

      MD5

      a5f5606901cb379a20b7e5fc70c103c2

      SHA1

      93423ebb99c628e3548ab03ebbfc0e335bcf4ce0

      SHA256

      ecc5e4347d4cb5413eec9f087cb99e3ee670e25b5552acb66a2866c0e0915f43

      SHA512

      f339544c52e8fb291b0b45c6d2a0664b58fe0c6d78a7d4d64f3277a96cc1dee39ed13f4648a610b4bfba6b0fe1479fe7588a42211dee53f6d7409505c1456109

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      1d2e8be2220e67b8f843e8549b550c5d

      SHA1

      79fca6120e881a3a2a3bb9752daa9e52437aa689

      SHA256

      08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

      SHA512

      20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      1d2e8be2220e67b8f843e8549b550c5d

      SHA1

      79fca6120e881a3a2a3bb9752daa9e52437aa689

      SHA256

      08876f9e34ee41f9e7dc4d02d62b2fcfe1c3b6d9d34cb53ff41bca5f2c90a025

      SHA512

      20e026d68c6a4504429305ed9914c99d5f282043c0d82e09e45ac2b7fb1705db18547c779e7c6bf6215bc06905c78aa5e89035432480e0836d42c02ce3391b08

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\WindowsPlayer[1].json
      Filesize

      119B

      MD5

      4a36f518afc2633dea8592f2554f6133

      SHA1

      2f0286860d7b9c26f47215393fc94fe1b24e7ad0

      SHA256

      9d2871555cb58928ad2c6ce8fabe5efbbae984091ef0c72a042b2c50c119d428

      SHA512

      be32a8c9bdc63ba1280278c7f0c0242cef01d3bf1ed9c0dff5b6141e4d76301067850b9574478e1472c24fa3614345707753858c3d76e10f404e16e02f3dac03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RBX-44A4F1DA\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      34d6da080af6ae29247f06bcae9292c5

      SHA1

      6b1397afa50fd65b5dc38aac8e6c33ff11f9a1dd

      SHA256

      ce68f81a0d40040d36a8090461455a9452d3e9d67b528caf4196fc19e159872b

      SHA512

      c74684725064c8f9a76c727a4641df7ebeae414f292c07b84cd6266def454a69091c1e0994ca91e5c1e3fb411f790e572551edfe9d50ae307d2fe5fa9343f443

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      55fa291d4943519d94d14b250b9ec4dd

      SHA1

      8f2e3446a096d5fac03e3d7b03482027b939bf01

      SHA256

      92b7bff4c1cc0fbe75a45691818548c5c7c05a5ede0c327ab8d1a06580fc82e9

      SHA512

      02268c285371f52c2180e779eb87f3f9905f2786654d015b865a3cd4757a4f503ead3b9dbd6aef1ca41467d7e92023dfa52194a93068c17a1a41f194c0ebcb9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      55fa291d4943519d94d14b250b9ec4dd

      SHA1

      8f2e3446a096d5fac03e3d7b03482027b939bf01

      SHA256

      92b7bff4c1cc0fbe75a45691818548c5c7c05a5ede0c327ab8d1a06580fc82e9

      SHA512

      02268c285371f52c2180e779eb87f3f9905f2786654d015b865a3cd4757a4f503ead3b9dbd6aef1ca41467d7e92023dfa52194a93068c17a1a41f194c0ebcb9d

      Download Submit