hxxp://now[.]gg/roblox

Resubmissions

11/03/2024, 21:15

240311-z3676aee6s 1

11/03/2024, 21:09

240311-zzg4vsed4t 1

11/03/2024, 21:06

240311-zxwt8sgd67 7

Analysis

max time kernel
600s
max time network
599s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://now.gg/roblox

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546721904636336"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
1268	chrome.exe
1268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 960	4944	chrome.exe	82
PID 4944 wrote to memory of 960	4944	chrome.exe	82
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 3664	4944	chrome.exe	84
PID 4944 wrote to memory of 4880	4944	chrome.exe	85
PID 4944 wrote to memory of 4880	4944	chrome.exe	85
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86
PID 4944 wrote to memory of 4392	4944	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://now.gg/roblox
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc54b99758,0x7ffc54b99768,0x7ffc54b99778
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:2
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:1
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5040 --field-trial-handle=1816,i,10144664386282366556,873599133533522233,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
cb6f6f755c5fac2fb01b0862b454608d

SHA1
446eb82e57b7348f5af42c682881b92f8f83561f

SHA256
fefbe0315bb199ea9a585c9d91c4aa583c043903f6d18e7d5f584aceda848747

SHA512
5be8a38035d9bd5168bfcb4ce8b73f83d28bbfe5e95c5366c0c2b3e5c22cb69e97aae75b593ab479c94ebbd95ee59fe5e1aa7baf6dd1da25243ce6f8496762d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8258d856f07395c1b5a519d00b4fdc54

SHA1
f69240a397eb07ee90940481c958f7df60e1664e

SHA256
73d735bc3ab7123c199e3857ce999be3237b55ff6bb5e7e814382ade2f76fdbe

SHA512
5a8860df9671b7d8f7aa00c5b89d36322b5f16b493990644030c730803e6343ba0609b51d5b5779a374a1f52f1d1ca80be573203109d4895bcb465d7d53e654e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2d41d1be3882c5faa8028bc38513d0f3

SHA1
975d03a8bd615303853a8316cc9988618805c8a9

SHA256
0b29edbee16e3d972a411a4e42846812f54909a8974923a614149516725afaaf

SHA512
7d5d41488254e6de907fd9ead2d9b03d4e4a4dd354a3e49ee37b98a86ff847dd50c3616109a962e8e290a0a42ece123df52b39f95cb12cc8efc8ba59be3ba6b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
37d60510cf3b9492aea392b574294f47

SHA1
4cfcb959d964c1fe0bf08fe41e572d7685ae3313

SHA256
0d03d11163619db601c5ed3798426685419a755924b715e09b4bcc1671745803

SHA512
275ba183f3d60f85c8e0ab6425902d892095b23b0fb6a19a20184d77cd4951816a5853158cde028fa38291e7fe369e5d3cfc765355e449c86abdb061fe56b6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5c675c61cb4e4b96d9b611f14d5cdeac

SHA1
193bf0b2c20218b2dd18e9297e8210ceaa1ac420

SHA256
a20933ebcda36f515d6e5175e8541fc9b9f52acfd2927b9bbd3c9b0f5b74d4c3

SHA512
bf38e5b6f64e2739b817e5159de8329235585a3b235cf9742abd5be1bde80a322dffeedab13f40e2fcf7cff11181d7205fbed407d5521b87354ff5932ea4710f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
a2e4a339399897b31900fc310365e5e7

SHA1
e4c48d960f18f357c4598b74cffc414b407021be

SHA256
ae7a19f6cb94ffa6a928b222d0a71f4e56a1115caa213ed87e84bd4943f5cdd1

SHA512
7b8bb0383240b51bc1c233ce2269603b0354221dcf5889b5c31dd4f8563a4c7f68a375cb66be384823b46d4767316684b3681bdb3b610e441dd4df000aea6a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f5b398b8c7b4bb32a741473bca1b2f35

SHA1
f080e91b5a0a556fc730ed6ae175360249dc739d

SHA256
0745f9a69f6c15ab700c06427a3fc62feb75a8e721e82f3ccc79dadd4dc04add

SHA512
a15d69ee7dc38472d4439f28877f0ffa14bd238e07a533ccf8b0c1054395da1321dd8044686f62410fe6b6bbf4d8e91f8ab8afa7ed61ed766e255408798260fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2eb5bd8367ecda173e779d28f177cf75

SHA1
7da62559b23dcf7217a064e4daa6cf960327ccdd

SHA256
43edaeeb7796cf69312050fd2c4475943e17c2106b30a0d8e3a075c6f1cb2e33

SHA512
25b731197eabc4637fe31018305a68301c9d83eb415f6b478bbf0ba5a99aacbc0d6ebd6916b25aa0a1ca3c7cc62776da0c3ced606b0026bb2c1bc141ccc14c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit