b38d83d7af1e28dda777941a4954101117904b923986673c07dc7512eab169c6

General

Target

Roblox-Player.exe
Size

2.8MB
MD5

b175580da5bae576bf2fcb6b5d096f70
SHA1

230d1e14536bdcb5138343edffd4d52b4195e72c
SHA256

b38d83d7af1e28dda777941a4954101117904b923986673c07dc7512eab169c6
SHA512

3f065c5d53df4113e6438d1154cff6d26416a30f00ddb5633d5a866495d19d0d6f236e219fb2c46791cb5492fcea9f2b3923ea32fc2efb09c63ed9092b63a663
SSDEEP

49152:fVkTZfUzAOOaGBSmY5uqPFCH684GXupzdV2yYx6I1WfK8YKwnTZMOZIh0sPJz:NkT5UzAxt3Y5hPYIJV2y26TdYKwTER

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	Roblox-Player.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
3364	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
3364	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings	Roblox-Player.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 1304	224	Roblox-Player.exe	87
PID 224 wrote to memory of 1304	224	Roblox-Player.exe	87
PID 224 wrote to memory of 1304	224	Roblox-Player.exe	87
PID 1304 wrote to memory of 3364	1304	mshta.exe	88
PID 1304 wrote to memory of 3364	1304	mshta.exe	88
PID 1304 wrote to memory of 3364	1304	mshta.exe	88

C:\Users\Admin\AppData\Local\Temp\Roblox-Player.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox-Player.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe" x wget.zip -aoa
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
585KB

MD5
aacd9b8e5e5e369c3518b86486cfc9d4

SHA1
5dd895158c2eed2ece1d5e0ea4c7b8bcae32a511

SHA256
e876cab250eb2b0aab976ff9922a3945e2b4724166b0efb64690b46fe470cd3c

SHA512
6e07165c3eb4fe5532f87d693e309f872925a21c08f1cbcda3fdbda3a803c5bafcd4146b2dfba5e1e0dce13ab8b8e274ad4beff3fe3f9adc2fa4c074c8088d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
585KB

MD5
aacd9b8e5e5e369c3518b86486cfc9d4

SHA1
5dd895158c2eed2ece1d5e0ea4c7b8bcae32a511

SHA256
e876cab250eb2b0aab976ff9922a3945e2b4724166b0efb64690b46fe470cd3c

SHA512
6e07165c3eb4fe5532f87d693e309f872925a21c08f1cbcda3fdbda3a803c5bafcd4146b2dfba5e1e0dce13ab8b8e274ad4beff3fe3f9adc2fa4c074c8088d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
144KB

MD5
2d1c72072fec74fb0eca850ef8f9f93e

SHA1
53b09ad4e564f9d392f3b781033404d92581f6d0

SHA256
b93149e44239dbdd5e6705c73ae14ee11285923e963e41e8d142e4171f20f4eb

SHA512
1d936db9b5d85098298a05717bea012be696398a88177d5d0bbf7ab2bfd22bf449240b34205b64e52f1bef34783c13def5f2e8d4ca0767fe8300ac5fc161cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.exe

Filesize
144KB

MD5
2d1c72072fec74fb0eca850ef8f9f93e

SHA1
53b09ad4e564f9d392f3b781033404d92581f6d0

SHA256
b93149e44239dbdd5e6705c73ae14ee11285923e963e41e8d142e4171f20f4eb

SHA512
1d936db9b5d85098298a05717bea012be696398a88177d5d0bbf7ab2bfd22bf449240b34205b64e52f1bef34783c13def5f2e8d4ca0767fe8300ac5fc161cc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\icon.ico

Filesize
128KB

MD5
ff901cec82391b102d9a6f35f6574502

SHA1
71ccd903a0ed9d83690cd633449667d0a03d402c

SHA256
ea00397056dbbf8e1dd49cea7b50753e859c8b624f559984bb1663acb89fa4fd

SHA512
ef12b54be6ebfaee84e630293c0ae51a85c1bad9fa2551cfdb574ec81d5071ac20e5806e1376c604e62b523f9c1b2e75f18bf2e066164b36e455830c0ef8552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\img\master-logo.png

Filesize
43KB

MD5
8c9eacbd09403a0ddc93f52af0ee7d03

SHA1
5c388ebe3208bd9a2463de467b8d740de3e33a3f

SHA256
213e8f55e484a316b6f78747bcac26def8734d8107df892ad2ea35ae1cb5d6ab

SHA512
d7158dc65753ecd9a571c7fbe0b53f2dc90cc7fd31999cfb4553f441f5051772613094d04354287d093b3d5e35cac7d77fc30d230f5baf42e55d96e33a13db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.hta

Filesize
3KB

MD5
dc4afc4067230a68b43c21a3bce470c3

SHA1
43eb090b4acc2953366132805c018443010812f8

SHA256
1230041ed8fc91fe2d2311c8acd16ed8ac2824131f7f134215efb3446e4d57f9

SHA512
16a72626009cf4c081bfff6932885b8f3879f1a1ee90ea08850af732cd024bcdce76d48a0273537c913c0aab9dd135423b03f3b4ee8b10c3c3e10b010abfed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wget.zip

Filesize
1.4MB

MD5
a607ccf3143b8b0c34669adcf9beab80

SHA1
d207b2e4351fef0a5c8546fdb88b49ae0f34e414

SHA256
cdccc3a03f0048159ab421c22b9541ce3d372cd9bfb126ca39e973fd3ae15cf5

SHA512
99dffb314273ab8635d6ff3ef4c7d77f19dd11fa9e0aebffaf0254c7e7d7d11f4e29ee77cf3eb461487a4431b7d5e934ac9d1b6fff24e675731355618c561510

Download Submit

Analysis

Sharing