5c9817ba350156d0419beeb0005602ddce2d8b5b5d76f6b91d118b1b098df693 | Triage

Analysis

max time kernel
24s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/02/2023, 00:15

Sharing

Report Analysis Logs

General

Target

RobloxPlayerBeta.exe
Size

57.9MB
MD5

bd4ff82af6ba0e876bebc0d41109c6cf
SHA1

ae61819bc5c27802583cad5bf9ef512b0dd131f4
SHA256

5c9817ba350156d0419beeb0005602ddce2d8b5b5d76f6b91d118b1b098df693
SHA512

2649fa51db1804efe0bae006a712d1a7fcd5b002dd3c663f68629ce389c1661fd9fd018b6f3797ce2961b526855a796c8aad95879f794f4debaa94fb8715d9f0
SSDEEP

1572864:sLd6awt8AQjM6EfLG1eX5iDprYSjb+xMzJ9IN5Yy4Z:i1eX5iDpLVTuP4Z

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	1348	WerFault.exe	25

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1348	RobloxPlayerBeta.exe
1348	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2032	1348	RobloxPlayerBeta.exe	26
PID 1348 wrote to memory of 2032	1348	RobloxPlayerBeta.exe	26
PID 1348 wrote to memory of 2032	1348	RobloxPlayerBeta.exe	26
PID 1348 wrote to memory of 2032	1348	RobloxPlayerBeta.exe	26

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerBeta.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerBeta.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 356
  2⤵
  - Program crash
  PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download
memory/1348-55-0x0000000000D10000-0x0000000006465000-memory.dmp

Filesize
87.3MB

Download
memory/1348-59-0x0000000000D10000-0x0000000006465000-memory.dmp

Filesize
87.3MB

Download