8f3fe55480388b43e385ca4e240f77cae90b37c4da3285af3da76495c7f4c440

Analysis

max time kernel
180s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerInstaller.exe
Size

4.5MB
MD5

32941ed3588da058b120375bbe77c6d8
SHA1

4fc873c3200a65205053d2d04989b407df0ade70
SHA256

8f3fe55480388b43e385ca4e240f77cae90b37c4da3285af3da76495c7f4c440
SHA512

19ee5c5c0ceacca7bcc4ca7d41026da6525d2771d33cefd5a8511c5b922d98d8c281a6ae794a4e1d73efd8c4831daf7e7854744b051a191e2c4a1f495ab21d83
SSDEEP

98304:nwveaNoe1sGM8cRSMDtLRDgcaV2RDnYsKxS0S4Obkm:YTNnm85sgcX50/OJ

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaChat\icons\ic-group.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\btn_greyTransp.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\models\LayeredClothingEditor\PartHeadTemplate.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\fonts\families\RobotoMono.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\StudioToolbox\placeholder_video.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\StudioToolbox\Voting\thumbs-up-dark-gray.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\DefaultController\Thumbstick2.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\avatar\unification\CollisionHead.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\fonts\Ubuntu-Italic.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Settings\MenuBarAssets\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaChat\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\DeveloperFramework\PageNavigation\button_control_next.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\graphic\player-tile-background-light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VirtualCursor\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\Debugger\Breakpoints\client.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\PurchasePrompt\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\dpadLeft.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Emotes\Small\SelectedLine.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\MenuBar\arrow_up.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\avatar\compositing\CompositRightArmBase.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\fonts\Nunito-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\CollisionGroupsEditor\delete-hover.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\StudioToolbox\Gallery.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2001.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU2001.tmp\psuser.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\AvatarEditorImages\AvatarEditor.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\TerrainTools\mtrl_salt.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\TerrainTools\UpArrowButtonOpen17.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\graphic\ph-avatar-portrait.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\avatar\heads\headO.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\AnimationEditor\btn_collapse.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\GuiImagePlaceholder.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\InGameMenu\TouchControls\touch_action_zoom.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\PlayerList\AddFriend.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\StudioSharedUI\dot.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Slider_sel.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Settings\MenuBarAssets\MenuButton.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\GameSettings\ScrollBarBottom.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Settings\LeaveGame\gr-item selector-8px corner.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VoiceChat\Connecting.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VoiceChat\SpeakerLight\Unmuted0.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\StudioToolbox\AssetPreview\pause_button.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\TagEditor\TagEditorPluginIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\AvatarEditorImages\gr-selection-border.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\ui\VoiceChat\SpeakerLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\content\textures\WindControl\ArrowDown.png	RobloxPlayerInstaller.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-32301f72dce64d3d"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3480	RobloxPlayerInstaller.exe
3480	RobloxPlayerInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4408	3480	RobloxPlayerInstaller.exe	101
PID 3480 wrote to memory of 4408	3480	RobloxPlayerInstaller.exe	101
PID 3480 wrote to memory of 4408	3480	RobloxPlayerInstaller.exe	101

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
  MicrosoftEdgeWebview2Setup.exe /silent /install
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
4.4MB

MD5
96cc5095768386c4a90564b24c9fd626

SHA1
539ca20045748a6de75668a47d9e96ac7b968c00

SHA256
b420ed28fd7678b2af149795e7e7365a5dbba29eb2bc6e923c13ba43a5c20f1a

SHA512
7bd6347ef9ecb3160add21ed30b7a7b377a7ed8b2223e30615b021b02291013c88408074fe45eb8d1c8541a1e74bf47472e6ccfedc6ad7de3358ca76c4eb752e

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-57e2dd886e0e42a5\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\d4845be8c0192ae3d60151695a2bd063

Filesize
4.9MB

MD5
d4845be8c0192ae3d60151695a2bd063

SHA1
e6fb50fc241cbec75d953b7f0b240ad4c19a396f

SHA256
9a3b7b139d754bf44bb4481f52d14d2e695ee8ea0e330591aab75f0103f73fb3

SHA512
77045b572bfe05b859518e9b2b12ff9e5326232520c0e8b4295035aedfdd4a62802075a9b62618c91742dde391bae98f22389627f9a7cda5ba4a72ea3dd54164

Download Submit
C:\Users\Admin\AppData\Local\Roblox\logs\cacert.pem

Filesize
219KB

MD5
1a4af016c683d93ebfa916f641da64ac

SHA1
c89c32b9620917d1cdbf34fb5b03f1a595e48e3a

SHA256
9483f4bcc05eea3c5929627130b8e574fdc850b4fac319d7e98c4f68c59a3a0f

SHA512
3b2ca0d5d0bdee0d060d50c71c88c9c7d35c9d0f0956b135ca6ddfa2618feba5774fbff2ce866f18ae20b90139e0c1eb8bf4087ac9337498b733d0da434d3eec

Download Submit