Overview

overview

8

Static

static

1

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    6b68f3be3850e9b2ac03bad9f4de5b88

  • SHA1

    57c59090e38d6e0128874ed93f53a4e3c65ee47b

  • SHA256

    159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

  • SHA512

    de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

  • SSDEEP

    49152:UUvIzhIhn1g5yca9e3j8ITYMao+8k1TymMYPMQ3dS/BTXsb6Hrvd:USnhn6yca9ezeEsbg

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=b30562552e929b28b3892128001fd4fb6e2722a8 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x7a8,0x7ac,0x7b0,0x6bc,0x7b8,0x124b480,0x124b490,0x124b4a0
      2⤵
        PID:4592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
      Filesize

      2.0MB

      MD5

      2c3024c6aec09f36db69877db35f8e4b

      SHA1

      b582af99bd6ba14ae8fd28bc1cbbaec7b4df393d

      SHA256

      ee27f9cd887945d699f4a3f406e59c49076f38cef50976821d6439c0ab356a7e

      SHA512

      f2741ada8dea5939075baf3da61462ccd9430c005eb07f3354abd2f686ce83603f401655adb9e990d45808404c3b48d891f7d04e00766bf2904cd12a60a1e23a

      Download Submit

    • C:\Program Files (x86)\Roblox\Versions\version-be30b823d3fc46a0\RobloxPlayerLauncher.exe
      Filesize

      2.0MB

      MD5

      6b68f3be3850e9b2ac03bad9f4de5b88

      SHA1

      57c59090e38d6e0128874ed93f53a4e3c65ee47b

      SHA256

      159a30c008bb234af56a7c786cb5352e7b96dc62fac6b2ca2ea7fa75fc6841b7

      SHA512

      de8b266ef96aec59987e025dfccd51d8bd91e7e4523c6bc4ccab73de5819b429033da773c1f155e98607d1d60bd63e1b07deca2b454493bd5b8122cc265bbeb7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      1KB

      MD5

      9bf77ce85a5a981d86a0f7a4672ba22b

      SHA1

      62fb7e9f8b763de11a63a156c847e7df4dde7fad

      SHA256

      44ed3a7243fe9995a4439683d11971670eb00101c3832ad30db5242560b2b354

      SHA512

      2ead42546c80b3dbb87ac93f1324c85fc0bfed5a7c51a1217993c18d43886a9e7580a80ba9a2b6ec4c7eefd23d274fce561845ab508b427afc906ad594f58e68

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      471B

      MD5

      21ed9ca0f4579a63723066fab3cdb1e9

      SHA1

      625f8780cba0177fa7d9b747df0bd45511ddc900

      SHA256

      818a6653f6011a83d251998208826644fe68d228a739c87ec14e470e10817889

      SHA512

      203e8fa995dfd86617536e1fc445fa1fdfbc0ec462d238cfbfe1d03c81b51c81297335c4c54503070c25897858fbedd659c348ab994f9195635ff75a0f3ecda4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      1KB

      MD5

      71288df6e69e139111a733ad7b94866a

      SHA1

      9f756b5bdddb2eae7e7bf2678440117026ea8b54

      SHA256

      7441007a5974bcfdee443d0c1fe1c40d7e7f454fc0712501eb7abda978877837

      SHA512

      efab7742dd31b5397da0bf2940e9bb8de89702c39b6f062194caa33b31346ee646a3b4c622e9bc42b4ea9ed94772098476a5e87ccdfd8af0be58a7a153ffc9e0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
      Filesize

      450B

      MD5

      677e44ae2bf727985d44d124e3158c2c

      SHA1

      ec48df0b34d67c8f386069e949b9c143e85b2645

      SHA256

      2963c880e678e209f379466fab19af8ce9aed20562d0a2fb3e7d45948ef2b356

      SHA512

      412ab2276e777186e3c841a23102432e845bc6e0fa3afcfd22b2cc6916c7d5a4dcf074935971972ccce1663296c36c5c6afba2735ca92137887eb816d47fd609

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      430B

      MD5

      1686b55a8aeda5141c47d03e26dec9fb

      SHA1

      654a2105f97678c5d67304946efbde1ae31fbcf6

      SHA256

      f94699a670081208674917c85ba59cd49f253bd23941034fd44f6a7a731ae76a

      SHA512

      478f5df07887b50287e0bedc6533bf939c53765429a28165b46c659df358bfdee6ed937e1843a3ad746649b9e35d9bdc5ec6069cb162a4a159271827093205d0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
      Filesize

      458B

      MD5

      c85b8c802b11c18565158aed9002ae50

      SHA1

      22f3c141c3bcb745b47c3014a9ceac63342b68f5

      SHA256

      1504d8e1768ba3dedbf5fc1c73e0762d0efaf28fa4e8f0d8bfae7e65014183f4

      SHA512

      c82689cba2e586ce547396db7e5f6e6b93f027fdc4130673f3c029747c76c6ff5d058d5094ecbc1046d209c4ba0548c4b1eefa45c3042b2a02cf2769a8d92693

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9YACFB9R\WindowsPlayer[1].json
      Filesize

      119B

      MD5

      8e7e1124df5cb13bde562332564be4a4

      SHA1

      37314dc17a1a5635581abbaedff6ab677469a334

      SHA256

      fca98f982f815aaa96f89bb30515e35e5dde746fcd175fe987d5d885d0a8b4b0

      SHA512

      2f16df7776ff2d8e3ec1288ecc9f333553e875c2040f83677a1ca0b6f0ad664b957a0a71001f11cd5721a13c1b0a38e1cce29239c772ced1b9ca689b474b1d8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\PCClientBootstrapper[1].json
      Filesize

      2KB

      MD5

      4b220deaf4fd3370c2b7ddbb2a541549

      SHA1

      8a198376e29b37bac2837f8ccedc85a583738ca5

      SHA256

      d40df69638475cba8ea684bd7bf6bacba879cdcb8ed94dcfbda7ded17af5e2a3

      SHA512

      1d5f193f9fff2e3147dcdfe33914be803a26dd131bcc3c65b9c132f3c8bcaa0fa2cc81fa9efaed7b6374775a8aa7efd20d13065de483210865742b056759bfbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G1ORIWBN\BatchIncrement[1].json
      Filesize

      163B

      MD5

      bedbf7d7d69748886e9b48f45c75fbbe

      SHA1

      aa0789d89bfbd44ca1bffe83851af95b6afb012c

      SHA256

      b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

      SHA512

      7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

      Download Submit