Overview

overview

8

Static

static

1

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    6723f12d15525aab7f012dc6050a8d3c

  • SHA1

    a349dc774f9e5fa0023c26d421f94dec8701f19d

  • SHA256

    e08d1e9c9bd59b716c3ce85ecbdbe935b5b57358f12a3f03b1f0a8914c1476f9

  • SHA512

    4fef0a875bf25d097b8cfe0eadd6e4e6e5c141ac08ab4e94112f0d7b1cae1b574e5feab68a0eb79993648aabacc2d2c51c894818af0995e78e4b7cd3a60907d4

  • SSDEEP

    49152:ZmFShsAj6/KeoXwO4RDQ8ZdTJCaY+4lNT7CM6PMQ3d2OnTqb6cPz:SS+Aj6/uXcDQ81sbB7

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=d0b4c56632452fa149160ea75abb3fd8ebbae2c4 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7fc,0x7c8,0x7c4,0x758,0x7c0,0x13032a8,0x13032b8,0x13032c8
      2⤵
        PID:4932

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      1KB

      MD5

      31b910d0e28bfa4faded9cea77abd3e9

      SHA1

      467a701f23d57c85d5efcafefeb66c369fd4d651

      SHA256

      129f2ccd30c0580a3ad0f4cbb6d84a8bedc07498fff02680a83bdeeb20dd1992

      SHA512

      947970353d67a1cde207910fb3ef8e81f42495e2400619c835caa86179af32769695b55eab10e4582d95b0781307ba58671ba451a5cb2a55df564a68b0e41498

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      471B

      MD5

      d869aa372177cefe16f9a4f3e656ae1d

      SHA1

      dd648b47c178dcd3f7cdf5f87146cd15196d6fa2

      SHA256

      d7cb6b3e1ae57fd75e9fda78c05e4f630710ccbb005a82518106dbcbc7237906

      SHA512

      bb6361cedc3ce8e47bda83d9271cd9f5ce6451866785d2f79b427af8ec74ff4b655e5d1f4a3caa052f9919c05cc423bdac2e5d0a878e2ddbac69aaa75c6354a2

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      c674a0c651cafbc666ff3d39fd943be0

      SHA1

      af67492d7d9e7eedd7d485df51cd08c864bf62e2

      SHA256

      c7422305f0d70e5796439ee0cdfe4766ffc4731e1c15951ddcc0ff3a4025deb1

      SHA512

      07526ece36e0e63c5e6ee4dad9aacae6f22c8b9a8b31fe137720fe90dcb2b39818fec263ec561943b6cee327454a90bba5b4b63601e18c4a7ab412090a29dfc3

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      e85d162c9f68ad0c563394aec8506166

      SHA1

      a4b7dc0c968316300f2da240e227ac7f535bd795

      SHA256

      be0a4f4ca1fafd762c0bd9ce274f0abb30c442a2fa11328c820cd8b41129deee

      SHA512

      5435ea377f67e8704fdd1e58f2433b01d921d54b52fdd1b4412f0485fab267831b03a9a9191c6bc1e7d32d54986c1bdb613d1eccf409660fede7f1a36cacf91a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      400B

      MD5

      655f335445db85104a9dc8cabe4e194c

      SHA1

      cfb2db7ac51d80173d29edb1e9347996f455d353

      SHA256

      11fa950d2a30433add4d4204cc1732a2d56c9a405990e4fd3c7bd9feb1823f0a

      SHA512

      bdfb47ce9661761546f3fedb910c463195d0393e4793be48053c119d30b3221c6b8199b4ab193a32a62015729b043975cc10f57a2f9be85f70a294e6d35e5a73

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      61caae3919e8c67623c17da64edbfa50

      SHA1

      d37cce5d500e15b560fad242f68cb9406f6dcfb1

      SHA256

      37ec211778483fca2e7fb2877ce679d70d65dba673d3b470fc2cc9fa09368546

      SHA512

      3c64313fa05ca0c5cf81045ad6d50bbe5c83c91a766162850b6fa7dc82acab76ddf1a99acdaf9391e96c73c04fcdfa924caaff53bf3904871600a4a5e6280c25

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      3e511c368304454f7c38d2bc125ea762

      SHA1

      fc6a9ecc9cd17efb1ab85287d7a5006b0f3ad0c0

      SHA256

      8921eb5bb390fe87bc77cfb96ea9c8a914ede063c256b7db3119f2babd5f4a2b

      SHA512

      5ccc497dc5125ae885282b7e725346d010ef25efb95452ba5eafb4686a3fd5c8465dc7923bdac33bf570ed41501ce38121865f5ee92b5dc1ddbebb3b18d73842

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      ffd72b4fbe6c5e1fc103b648dffc4df2

      SHA1

      ef8b987d4d3a347f687581c087ef587b30b93a85

      SHA256

      55f9af62c7d6df8464565e7a0bea75a96e001613b9a937d0d32575a0c7be7b50

      SHA512

      a959aec6e2e9c5be554cfa55a62a85c6adc144c2f761235367f6d668d8554e00a46031721aa1a10b0864a143009c492c6d3baa811331a7d9de45714f14445b9f

      Download Submit
    • memory/4932-132-0x0000000000000000-mapping.dmp
      Download