General

  • Target

    RobloxPlayerInstaller.exe

  • Size

    4.6MB

  • Sample

    240222-znymgafd93

  • MD5

    884f182558478768a43de12bbb5bd168

  • SHA1

    831ce37ca2289cf123733306077b936c9407319d

  • SHA256

    bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4

  • SHA512

    665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff

  • SSDEEP

    98304:SgvS1Dypc267gUyOKglfVYMvLUCWcUwyHbvLt:lQDYc2npgFV7W95L5

Malware Config

Targets

    • Target

      RobloxPlayerInstaller.exe

    • Size

      4.6MB

    • MD5

      884f182558478768a43de12bbb5bd168

    • SHA1

      831ce37ca2289cf123733306077b936c9407319d

    • SHA256

      bb4fa744d72612edd395213bba74efe233464cc8707ec55aa85052b6211757b4

    • SHA512

      665e957a508547a673ec354ef8008e16058e7aa50f1520e0539940c99beb35b9375c9546efa3dab58ced01a80c95a68ed17c76350efde3472da625ea877043ff

    • SSDEEP

      98304:SgvS1Dypc267gUyOKglfVYMvLUCWcUwyHbvLt:lQDYc2npgFV7W95L5

    • Checks whether UAC is enabled

    • Downloads MZ/PE file

    • Sets file execution options in registry

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks