3a67f79e57ecc1b63f5e06cb205cac46e26a5e2451b72bd0963bbde77d3458dd

General

Target

RobloxPlayerLauncher.exe
Size

5.0MB
MD5

dd3229800e3b48a361637aae158c3afb
SHA1

7ae6961a6f2689ced7d90aefe29571c7c70131d3
SHA256

3a67f79e57ecc1b63f5e06cb205cac46e26a5e2451b72bd0963bbde77d3458dd
SHA512

c8f86461ecfbaeec7c3b0c7757dc4c5ed7b9dd23f9680894d4ccd0c6d7e1aa1de05a311e796ab2eb1eae6baac2c859d96904401acd034c6a3fc89d7aa0d04c0f
SSDEEP

98304:8Av6Lf5T1f2k/GPgl/BcIMvSF/g7wCks2nXbLzdR:DMf5TQlggA4jkvXnxR

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28
PID 2376 wrote to memory of 2380	2376	RobloxPlayerLauncher.exe	28

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=6628c6e0af24a80e41805419fc5e1e0c1ef7ee48 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x434,0x438,0x43c,0x408,0x444,0xfbb690,0xfbb6a0,0xfbb6b0
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
14ee939f82a11f61c4c7f867af879006

SHA1
a366063ef80b941e37f22224f06bbc95f25ac179

SHA256
3a00054f7a89ff674287e7208502e3822417bdfef630d5f35d47cbafc33061e4

SHA512
f02aa5c0e07975dc6b26317633bc93c95dbbae4f5e549a201dab0cc9ca44c8f236535e6f364aba6df362ec2ccb277956dd12bde1ebbf2e4359906f9b976832aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_3F250154DC11187BFCB0989AB25259B1

Filesize
471B

MD5
4095d0f0279b313cbd32e6cb6997ba8e

SHA1
da8a799c6668b21e8455fd18b396e561f7b0cc30

SHA256
df7747a8a22f21565c7f69e8750812746ebcf020216751bd35b64d354f4bac2a

SHA512
67f770e2bdccf6426bf027e73e054f18afd056ddfcb65c7e004813915c0f0faa029686840df3533dc134cb721628bacbbd75022edb4e0500b598f400590162ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de4f0b79be1a5360d0cd85399adeeacf

SHA1
03d8f2ec9a2b6315d4ed9367d49bae0049d005b5

SHA256
1cd3f4cec7376ab842e9899a093aa470a67b5f1aac3c1b3fce2eb9a39f94de5b

SHA512
56d9ed745f45054a16cf07600b6458a80470180a1be34ef9070ade1fae39f9996393e63fef00b4d99d5515b180e00422a96c6102dd34a5b85eb3e4fc02b4902f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
0275a63e3f5c75c7b4df7109c931a25a

SHA1
8a2a6a2debd018d070e9abb3f4e9712bbb93027c

SHA256
7b80824032c796405dcbfea6c2ecdc3886e8fe10ac8eb34ff7d3266ae65b0736

SHA512
8c3011b80df074bf7861b81f6688e541ad2a18d607e1ea28f8cac5ccfa0b952103252f566714a3149f0aff18fff9718ad8bdbbb321c0e1779ba66e62073580d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_3F250154DC11187BFCB0989AB25259B1

Filesize
396B

MD5
826904732ff689da031297ed6d510cf0

SHA1
3ae6bf70bf066d48af01ce594126604a11424d4e

SHA256
2441876c7f72422341433cf47bb9d6c11a19a74ea4db4cf6c1f62c1a053b1aae

SHA512
82661bbf95e1157bdcf8b2d03ab14285bf09ca5a1e30037f58e09bc783e7939149959156d1a3aedb81b3b4a60a5b1104c0507dcf690dbe272ca021543cce4bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B5B.tmp

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B55.tmp

Filesize
26KB

MD5
e94bb6afcf1dd920ebbc4846484c3111

SHA1
353fc7e656123d274ecc53a357df6afd0e93c22d

SHA256
44935f598ee44b9bbc7a592e826ae99092cf8cfd9ebb0f62c1752377c4204ac9

SHA512
1a9b6edd32dbb6e23d6ca80540a8bc6f68369b672112441712f4902ba627419f92615aade90db18bdb70b4a739da9187134e6b7f3d61b6d327a280b23c46f420

Download Submit

Analysis

Sharing