29d5d5af782442398d76e0347993c4c54dfbb72b726201d43fb87f63603f384b

General

Target

RobloxPlayerLauncher.exe
Size

4.8MB
MD5

3d543894585b94e6aacf84393316d6ad
SHA1

0c5f434dee448ee68934592041599a352eb4adc9
SHA256

29d5d5af782442398d76e0347993c4c54dfbb72b726201d43fb87f63603f384b
SHA512

ac33049a35be16928f4467507693bddec888273ad38f06ac35a086e5a4e1a01fa9a6186d05412ef685bbc7f46bbfed55815b5c5948938cc636e612f235a4dce1
SSDEEP

98304:LqvQa+5F/FTJvBfCZSWxAqge4mjduCakK+lZkbYiF:i25jJ5CLge9Y+3klF

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29
PID 2224 wrote to memory of 1920	2224	RobloxPlayerLauncher.exe	29

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=8d8c433e7b2c91521a08c18be959329dee6f0bc6 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5d4,0x5d8,0x5dc,0x5a8,0x5e4,0x7b35b8,0x7b35c8,0x7b35d8
  2⤵
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
0bcbefa29b03feeb9b8fb1e023e3a827

SHA1
ff843617a005bcd8eb38c2c7eac6806b320f1086

SHA256
08b08bd7310148f9f0a88ba2227e1f0fb4806d793d6f39a1b84cddac3fc5fb4f

SHA512
33463f4713a5a803586621041efb8ff392411c97c68ba8bc25ca65f8bf645a5efd09044c08d98b2a1dd129aacefa38d28e125ffaa74d7cd0492f0c50cb060924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
e5723ba4efb1cbd209eefef21a718808

SHA1
4644961e7f988247953e13941a98d9bfa4152e56

SHA256
e970a1eb5a33804658c7295ab85b63a59119d0373cbabe04229975b92faebeec

SHA512
6113b20b0d56ad54ecd252e5b42453d17fdeb3ed302c2511b1fca9ae1b9730f869b12eca195cebfd37e55c1a1a6d9004a9fd8270c1ee4f30bab06598eaabf952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NQTBXEJ\BatchIncrement[1].json

Filesize
163B

MD5
bedbf7d7d69748886e9b48f45c75fbbe

SHA1
aa0789d89bfbd44ca1bffe83851af95b6afb012c

SHA256
b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

SHA512
7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGCFYHZ3\PCClientBootstrapper[1].json

Filesize
4KB

MD5
302da75e6bb5734752fd9625152afd97

SHA1
0167415be8d3ea04ba7e1c08eb2a9255f9464538

SHA256
3543be5d4312872f45613cdd8cd094418c1c64ca7613d6f9783202d490fc5e4f

SHA512
7ebfa79d82391859021768146f9d797659627f4bdb834c9d3c8ae078f48aa0d11afb86bf2c4272d5b349e919eb2a0aab6bdf451ef6c93f427b8388db10a890c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC37.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit

Analysis

Sharing