0e774f8533566b6221fdd374f4f6f30551f4e6aeb4848521445d15158f029855

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerInstaller (1).exe
Size

4.5MB
MD5

c9c89a5180728704d9fc8b10fcfa5124
SHA1

6eb7edac4c879645641394eb20db3cf707019b47
SHA256

0e774f8533566b6221fdd374f4f6f30551f4e6aeb4848521445d15158f029855
SHA512

98fbac35cbfff889ffb7a9b26684aee196237a54a9548285c233c2abf0a6a1f7588eb28d166a3a32e103f974418a7e75477cc699e5f0c8e3e290916b44ffc220
SSDEEP

98304:Smvn+iSkszLaY6ZZBrKv0Log5yGj06VuXJ+2npsbLfNzt:P+iBsGZ7KngtE+YK3fdt

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller (1).exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\StudioSharedUI\pending-light.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\RoactStudioWidgets\slider_bar_background_dark.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\StudioSharedUI\default_group.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\TopBar\chatOn.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\TerrainTools\radio_button_frame_dark.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\VoiceChat\SpeakerDark\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\InspectMenu\caret_tail_left.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\PlayerList\SelectOn.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\DeveloperFramework\checkbox_unchecked_dark.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\particles\sparkles_color.dds	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\TerrainTools\import_select_image.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\DesignSystem\ButtonSelect.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Emotes\Editor\Large\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\LegacyRbxGui\x.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU579C.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\PlatformContent\pc\textures\water\normal_19.dds	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\AvatarEditorImages\Sliders\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\DeveloperFramework\checkbox_checked_dark.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\TerrainTools\checkbox_square.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU579C.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\fonts\SourceSansPro-It.ttf	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\PlatformContent\pc\fonts\NotoSansCJKjp-Regular.otf	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\StudioSharedUI\images.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\avatar\compositing\CompositLeftLegBase.mesh	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Camera\CameraToastIcon.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\xboxRB.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\AnimationEditor\img_forwardslash.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\icon_follower-16.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\ExtraContent\textures\ui\ImageSet\AE\img_set_1x_1.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\VoiceChat\MicDark\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\TerrainTools\mtrl_asphalt.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\PlatformContent\pc\textures\concrete\normaldetail.dds	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\DeveloperFramework\icon_forward.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\StudioToolbox\Voting\thumbs-up-dark-gray.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\ExtraContent\textures\ui\LuaChat\9-slice\chat-bubble-tip-right.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\ExtraContent\textures\ui\LuaChat\icons\ic-pin.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\models\AvatarCompatibilityPreviewer\bodyPreview.rbxm	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\XboxController\ButtonA.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\ExtraContent\textures\ui\LuaApp\9-slice\gr-loading-indicator.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\CompositorDebugger\sequence.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\DeveloperFramework\button_arrow_down.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\RoactStudioWidgets\toggle_off_dark.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\VoiceChat\SpeakerDark\Unmuted60.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\sounds\action_jump_land.mp3	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\GameSettings\ToolbarIcon.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\ui\Chat\VRChatBackground.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\ExtraContent\textures\ui\LuaApp\graphic\Auth\Vignette.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\avatar\scripts\humanoidHealthRegenScript.rbxmx	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\AnimationEditor\Button_Curve_Darkmode.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\textures\AnimationEditor\button_zoom_hoverpressed_right.png	RobloxPlayerInstaller (1).exe
File created	C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\content\configs\ReflectionLoggerConfig\EphemeralCounterWhitelist.json	RobloxPlayerInstaller (1).exe

Executes dropped EXE 1 IoCs

pid	Process
4060	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller (1).exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-e06dda850cf14c6c"	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller (1).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	RobloxPlayerInstaller (1).exe
1496	RobloxPlayerInstaller (1).exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4060	1496	RobloxPlayerInstaller (1).exe	106
PID 1496 wrote to memory of 4060	1496	RobloxPlayerInstaller (1).exe	106
PID 1496 wrote to memory of 4060	1496	RobloxPlayerInstaller (1).exe	106

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (1).exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
  MicrosoftEdgeWebview2Setup.exe /silent /install
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
222KB

MD5
515de96cd5181c348abec1fde3f7019d

SHA1
f6349ee33061fa4b92185881b8ea7b989d66c8c9

SHA256
aeeed1697a9646e2890a9de6d369c067bb162ca88960e9c100852a52b67275e2

SHA512
6e308d8568c90ea612fc5096a47e62e3d671846591c49f035598f321ca2a5ece61b8951ad34b4717cfb921722290c2298fcc4551ccefc19b475292feb1ffa2f0

Download Submit
C:\Program Files (x86)\Roblox\Versions\version-48a28da848b7420d\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\dd3229800e3b48a361637aae158c3afb

Filesize
2.3MB

MD5
37b778faeb13dcf7fe342560cb258604

SHA1
10f43b75c10f7d3521bff4dec423b4767ab9eeb7

SHA256
bf37fb44cce1e631def655688e8c0a966759cf554b80d6b490b5e7d6d981003d

SHA512
17a3f0000506233a3045d55a15cff17e40bd1c1dbde503e724355fe69cac9bbc44ecd7ee0deceb251757d305cf564acc70cff6d533b9166c3fadd8111b4a6239

Download Submit