5317446a356222cb6394d3553f4f4299dd276c0a5e768c0408afa835a83ca3fb

Analysis

max time kernel
150s
max time network
182s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
31-03-2023 19:08

Target

RobloxAltGen.exe
Size

3.1MB
MD5

142ecc7159e452dc3b1b3f05c44a72d8
SHA1

f8336218417701755a27a439615e0809ae8ffbef
SHA256

5317446a356222cb6394d3553f4f4299dd276c0a5e768c0408afa835a83ca3fb
SHA512

33fcc8749783df07b6bbd48a79196b864a4de8762d2ac2574b80bde37bddb6e0e0ab1d786edd8bfad2ca236914dceee5553aef406067a503b46c1330bdce2647
SSDEEP

24576:mqjEnAxDBvPMCVwui5MMchBjh8a3jL6wZHqBm/3nHruzH7EFRIXRMxMmABlNGwB2:LEoDBnuOQm/be2AsLDzT9+u7C2y/J/

Score

8^/10

discovery

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 9 IoCs

Processes:

RobloxAltGen.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\DefaultIcon	RobloxAltGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\shell	RobloxAltGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\shell\open	RobloxAltGen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\RobloxAltGen\\AltGenLauncher.exe"	RobloxAltGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\shell\open\command	RobloxAltGen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\RobloxAltGen\\Updater.exe\" %1"	RobloxAltGen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher	RobloxAltGen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\ = "URL: Custom Protocol"	RobloxAltGen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\altlauncher\URL Protocol	RobloxAltGen.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RobloxAltGen.exe

description pid process

Token: SeDebugPrivilege 4092 RobloxAltGen.exe

description	pid	process
Token: SeDebugPrivilege	4092	RobloxAltGen.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

memory/4092-119-0x00000000003D0000-0x00000000006E8000-memory.dmp

Filesize
3.1MB

Download
memory/4092-120-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4092-121-0x0000000009430000-0x0000000009438000-memory.dmp

Filesize
32KB

Download
memory/4092-122-0x0000000009480000-0x00000000094B8000-memory.dmp

Filesize
224KB

Download
memory/4092-123-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4092-124-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4092-125-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/4092-126-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download