Overview

overview

8

Static

static

1

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    81s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    6723f12d15525aab7f012dc6050a8d3c

  • SHA1

    a349dc774f9e5fa0023c26d421f94dec8701f19d

  • SHA256

    e08d1e9c9bd59b716c3ce85ecbdbe935b5b57358f12a3f03b1f0a8914c1476f9

  • SHA512

    4fef0a875bf25d097b8cfe0eadd6e4e6e5c141ac08ab4e94112f0d7b1cae1b574e5feab68a0eb79993648aabacc2d2c51c894818af0995e78e4b7cd3a60907d4

  • SSDEEP

    49152:ZmFShsAj6/KeoXwO4RDQ8ZdTJCaY+4lNT7CM6PMQ3d2OnTqb6cPz:SS+Aj6/uXcDQ81sbB7

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=d0b4c56632452fa149160ea75abb3fd8ebbae2c4 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d4,0x12532a8,0x12532b8,0x12532c8
      2⤵
      • Modifies system certificate store
      PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
    Filesize

    1KB

    MD5

    31b910d0e28bfa4faded9cea77abd3e9

    SHA1

    467a701f23d57c85d5efcafefeb66c369fd4d651

    SHA256

    129f2ccd30c0580a3ad0f4cbb6d84a8bedc07498fff02680a83bdeeb20dd1992

    SHA512

    947970353d67a1cde207910fb3ef8e81f42495e2400619c835caa86179af32769695b55eab10e4582d95b0781307ba58671ba451a5cb2a55df564a68b0e41498

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
    Filesize

    471B

    MD5

    d869aa372177cefe16f9a4f3e656ae1d

    SHA1

    dd648b47c178dcd3f7cdf5f87146cd15196d6fa2

    SHA256

    d7cb6b3e1ae57fd75e9fda78c05e4f630710ccbb005a82518106dbcbc7237906

    SHA512

    bb6361cedc3ce8e47bda83d9271cd9f5ce6451866785d2f79b427af8ec74ff4b655e5d1f4a3caa052f9919c05cc423bdac2e5d0a878e2ddbac69aaa75c6354a2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
    Filesize

    1KB

    MD5

    c674a0c651cafbc666ff3d39fd943be0

    SHA1

    af67492d7d9e7eedd7d485df51cd08c864bf62e2

    SHA256

    c7422305f0d70e5796439ee0cdfe4766ffc4731e1c15951ddcc0ff3a4025deb1

    SHA512

    07526ece36e0e63c5e6ee4dad9aacae6f22c8b9a8b31fe137720fe90dcb2b39818fec263ec561943b6cee327454a90bba5b4b63601e18c4a7ab412090a29dfc3

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
    Filesize

    450B

    MD5

    dbce66bf014c9ace9982c23fdcc09211

    SHA1

    fba6991ed3777f2745b2ad6a6db04e5f80aa3c79

    SHA256

    981dce8c1f2015d77970e44901e81a452282c4b7a1d2ed7c4d986a026ef9fd57

    SHA512

    efdc17236c306e38c6912f947a6c4f4ec36773fd18378c27350efbaa7dcad0b35b26c11973271a7f2673b826019a4335f81d3efa70c2908dbdd30e924003092a

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    86d5db27027347d1bd5592a497494aae

    SHA1

    17fa44126cc8eebe1c1447f20b6aec149f8a08f1

    SHA256

    154cffd3792ce610293071e3a84c289dccedc29bb190891766956f0f24ca9f8a

    SHA512

    fad2d9e0cc59c0611a162b796554624b20f4974ea3d328df6e8a3af485f432200ea8b14f5d3fac4abe919b505e205adcaaa4e7fa658f560d2e101c111b4a860d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    304B

    MD5

    ffb7eac1c1d292696f56f6a838643823

    SHA1

    3f4a702ae40fff7d2fbdc85e77384f02f2264699

    SHA256

    437151aee85c2e64fa3ceafb4fb91bd8a93a852ccbbc2bcf66693cabe99f6211

    SHA512

    f4a7e58afb2a5dafba4dde9cf741728705eb92b1b956d2276526a42afc41acba0d0d7be7d85cfae9a6df1e28a0158c829b2c3def54b99447c9ec2a680e4f49cb

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
    Filesize

    400B

    MD5

    8b8b9c506e8276be5153c71e50e42aef

    SHA1

    3160b603613cb201c12c7a62726a741a7d9f84f1

    SHA256

    afd2d1c42bc94f2dfdad60e6a77a753091b180af0069b1c41e810f182c31051e

    SHA512

    f6aafe200a06ec67d792e5fc0f205d5c10df8692fa4c8c8c2d20cbefbc31c54fd9608f81c61b390657daf4123524042f60352e44373f1d0c982b9445feb631b9

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
    Filesize

    458B

    MD5

    c0bb64ff496411e2213f1cef866538df

    SHA1

    a4079a3cbbd65d5c925f999eb391cd1bac0f2c48

    SHA256

    1aa6fcf64ee5c6878e03ab000027cd2a556775757dbfe6832ece49d11aac5a3d

    SHA512

    37cd4713ddfd615d863e521d37a7df29de2655428e43164a490385158347684ba467f5a8599c3e9d19668504a8a0606f7b31223980b09aad043170bd28bf7efa

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PFZC0YBM\PCClientBootstrapper[1].json
    Filesize

    2KB

    MD5

    3e511c368304454f7c38d2bc125ea762

    SHA1

    fc6a9ecc9cd17efb1ab85287d7a5006b0f3ad0c0

    SHA256

    8921eb5bb390fe87bc77cfb96ea9c8a914ede063c256b7db3119f2babd5f4a2b

    SHA512

    5ccc497dc5125ae885282b7e725346d010ef25efb95452ba5eafb4686a3fd5c8465dc7923bdac33bf570ed41501ce38121865f5ee92b5dc1ddbebb3b18d73842

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
    Filesize

    40B

    MD5

    79f65757db3c167af32797deab297fd5

    SHA1

    7f053b60623dc7b7af27b5f29efb596fc639b5bd

    SHA256

    b32842ab643a0d4b2ae18a52f5f2962decb8524b3a7085aa25a9bbaafd9501b1

    SHA512

    52032d4692228dec996658bf6745e782b993c472d638bb7835106fee12cc97c15e2df983f99cbc147744b1c147fa55ac51170f07208d4daabdd407e2fe4bfe74

    Download Submit
  • \Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
    Filesize

    2.0MB

    MD5

    d9d2e5377a7c4c4fce388bd63223f027

    SHA1

    3fde9184f7d1b3b9f694b92e3044d2650da06e4b

    SHA256

    29e95a701df0a8d0f896c3978c44a214306eef238c2fc56454e5dcd7206cd804

    SHA512

    f087605d59547838b93e061c43c7d87283496f64c33633d495868518d7949b444233aef8566ad0b6fcd21ed9c0f4dc5b18935c9cff43e17bb9053a05595785c0

    Download Submit
  • \Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
    Filesize

    2.0MB

    MD5

    d9d2e5377a7c4c4fce388bd63223f027

    SHA1

    3fde9184f7d1b3b9f694b92e3044d2650da06e4b

    SHA256

    29e95a701df0a8d0f896c3978c44a214306eef238c2fc56454e5dcd7206cd804

    SHA512

    f087605d59547838b93e061c43c7d87283496f64c33633d495868518d7949b444233aef8566ad0b6fcd21ed9c0f4dc5b18935c9cff43e17bb9053a05595785c0

    Download Submit
  • \Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe
    Filesize

    57.6MB

    MD5

    4807aab213ee368e3e679518f0c17d96

    SHA1

    1b4368ee8e9fea0bc2b9b916cc3a5edfffc8b19d

    SHA256

    e3f8a3e5ec91b521066c7ec0ab5ce6aa8ed3e648f6769b54fd44d08677983b87

    SHA512

    b57decbbe65ee9e77cd56adc1a28d9d1cc17fd9940ad2e11f7d73bfa3ab35e3e847fa490857a1f91696e6cd87f2a77b378d335d78113e1c375230413753fe27e

    Download Submit
  • \Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerBeta.exe
    Filesize

    57.6MB

    MD5

    4807aab213ee368e3e679518f0c17d96

    SHA1

    1b4368ee8e9fea0bc2b9b916cc3a5edfffc8b19d

    SHA256

    e3f8a3e5ec91b521066c7ec0ab5ce6aa8ed3e648f6769b54fd44d08677983b87

    SHA512

    b57decbbe65ee9e77cd56adc1a28d9d1cc17fd9940ad2e11f7d73bfa3ab35e3e847fa490857a1f91696e6cd87f2a77b378d335d78113e1c375230413753fe27e

    Download Submit
  • \Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe
    Filesize

    2.0MB

    MD5

    6723f12d15525aab7f012dc6050a8d3c

    SHA1

    a349dc774f9e5fa0023c26d421f94dec8701f19d

    SHA256

    e08d1e9c9bd59b716c3ce85ecbdbe935b5b57358f12a3f03b1f0a8914c1476f9

    SHA512

    4fef0a875bf25d097b8cfe0eadd6e4e6e5c141ac08ab4e94112f0d7b1cae1b574e5feab68a0eb79993648aabacc2d2c51c894818af0995e78e4b7cd3a60907d4

    Download Submit
  • \Program Files (x86)\Roblox\Versions\version-c5837a56b9bf486f\RobloxPlayerLauncher.exe
    Filesize

    2.0MB

    MD5

    6723f12d15525aab7f012dc6050a8d3c

    SHA1

    a349dc774f9e5fa0023c26d421f94dec8701f19d

    SHA256

    e08d1e9c9bd59b716c3ce85ecbdbe935b5b57358f12a3f03b1f0a8914c1476f9

    SHA512

    4fef0a875bf25d097b8cfe0eadd6e4e6e5c141ac08ab4e94112f0d7b1cae1b574e5feab68a0eb79993648aabacc2d2c51c894818af0995e78e4b7cd3a60907d4

    Download Submit
  • memory/1232-54-0x0000000075E01000-0x0000000075E03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1396-55-0x0000000000000000-mapping.dmp
    Download