Overview

overview

1

Static

static

1

RO-Exec-Roblox

windows7-x64

1

RO-Exec-Roblox

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RO-Exec-Roblox

  • Size

    256KB

  • MD5

    527456f089fabed16c2debbb5d506ea3

  • SHA1

    a5ff06e91fe8a52783245d6f69fe826d27145aee

  • SHA256

    c7a8213e2387c1d67991a02707e99917fc4f11eddf8d9f37d71bb4a185006026

  • SHA512

    8f29dc79070565e412ab54db46296a77fbe5ea217c0a55bce85455e4fb5c29324aec972ef6eadcf8aa32541aad47f07f3b8227f90009fd671a4309b4d5c1a521

  • SSDEEP

    6144:pDuqJDfWfVSgE29xxspm0n1vuz3s94vZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViD:NfWfVSgE29xxspm0n1vuz3s94vZJT3Ce

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\RO-Exec-Roblox
    1⤵
      PID:1256
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3504
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3828
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          2⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1256
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.0.2058398531\1072049647" -parentBuildID 20221007134813 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94c5b15d-0015-439e-a722-892d8220b490} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 1996 233744f5158 gpu
            3⤵
              PID:2856
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.1.1352324872\1789416506" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab90bb70-0858-4d5d-99bb-591ddb76847b} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2396 233743f0558 socket
              3⤵
                PID:3448
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.2.145420919\2020064056" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e42baf8-61f7-4861-a4ab-8d50a0cb5447} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3216 2337445ec58 tab
                3⤵
                  PID:4688
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.3.2109479577\1878134911" -childID 2 -isForBrowser -prefsHandle 2988 -prefMapHandle 2984 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f7b1680-0b32-4adc-9693-3fd0069e1cb5} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 3564 23367c6e858 tab
                  3⤵
                    PID:3136
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.4.675286035\728768550" -childID 3 -isForBrowser -prefsHandle 4460 -prefMapHandle 4456 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbdf99d8-8e65-45e5-8f05-c8c028c7edc8} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 4516 2337a1c4a58 tab
                    3⤵
                      PID:5156
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.5.564225262\1680704555" -childID 4 -isForBrowser -prefsHandle 5072 -prefMapHandle 4976 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c16cc58-3c3c-4f43-a794-48851a752f8a} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5040 2337a809d58 tab
                      3⤵
                        PID:5588
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.6.232011486\592537579" -childID 5 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b1b899-5cf5-4b3d-95ea-d83762022d56} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5200 2337a956b58 tab
                        3⤵
                          PID:5596
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.7.1345111905\1506630148" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b45431b-a713-4835-9485-491c4294eb54} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5480 2337a955958 tab
                          3⤵
                            PID:5604
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.8.667266945\1847957985" -childID 7 -isForBrowser -prefsHandle 5804 -prefMapHandle 5788 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75fd805e-808f-4c35-bc05-efdb0ebcc7be} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 5816 2337c4d0a58 tab
                            3⤵
                              PID:3756
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1256.9.2110423166\389281592" -childID 8 -isForBrowser -prefsHandle 2856 -prefMapHandle 2868 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274b9f8d-329d-4570-a532-8281e18066b9} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" 2924 2337c4d2258 tab
                              3⤵
                                PID:5384

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\doomed\32230
                            Filesize

                            10KB

                            MD5

                            2acd891cf11ccbae2c8dc7993d49d8f8

                            SHA1

                            e03c965446f3f4c35056a318ce6c91adb567951f

                            SHA256

                            f6ca6d736a0e8220356a785f990c2813b0603b31398f88cfddfff2a4dc30181a

                            SHA512

                            7ee90d721a7ed0a03602198e83d6a361d6aa86244097a6285c3d9f6351e062a1310e33b2f776ee44ca9d4fae9dbc1ac086c29b9dc000d6fd0bc5e5ff8e25aed3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\16B86C1965EC3363A01A5EAD675BE76E6DED9A57
                            Filesize

                            59KB

                            MD5

                            6390b32302b559deca9b150e03dd3193

                            SHA1

                            8ac01ae76d41287d400ff0bea39696b7fab5524a

                            SHA256

                            661a7deb45ef6e5d292680f75c790f47c2d796e01ce0b82439295e0ca9ac3e09

                            SHA512

                            ed63f11a70197a6587cd703f9e438966663ad03d789afdfea293ccf99f69458aa27361227a8b88b60dc1be164f15df7631888d98765e3f48c98ec77726b72b0e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\entries\8BAD8B912F2D6C94A71545B207FE04358A4C90F6
                            Filesize

                            205KB

                            MD5

                            794b6b98976e6a075566b0c737e9ab3d

                            SHA1

                            6164ccb11929394728bf2be6504d6433a66ed6ee

                            SHA256

                            2d2e9637453503c9cb137110bb53fba90fc8698be3397a2aaf44cabab0f7fb58

                            SHA512

                            a50884b42a1328244730b9f84fe04552a23079458750bb9c6b69abd982800bdce9722853fdc24231d18893fe294debc57851749c62dfdda9da3ae6cf4716418f

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin
                            Filesize

                            2KB

                            MD5

                            e7e6697607031c40970b5eb4314e766a

                            SHA1

                            30322c0f531ccb097ad3614aa0c1717cd397480f

                            SHA256

                            91607161e873901963281ee983c6777b83c80d5762686bbc0572f44d63b3c792

                            SHA512

                            8960c45aa811caefb49983022a4b51bce3324924cfd7e2e1ebc83c8e223644075ef3d2b9d9315d782b1619db7848559e34c34ad571c54eda95fd54ceeda7a127

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\3fea2819-0159-4aa1-ba74-9422b404aa2e
                            Filesize

                            10KB

                            MD5

                            86470062c9e54e66cac94ccbc59206b6

                            SHA1

                            dfab3f705c5d9b7e0c3150437af4d1030429292f

                            SHA256

                            fcd0692d8dea14134c37520dc6d35b1d359be5daff8db6053ab620a0aa0ffa0b

                            SHA512

                            f93c166356de98d37df9c0c7d0f16e747ff0c911b3e794638ca4c491b650ea023672e851d8058cff79712ceafc54d937ce5ca0cc7d2338a654566f984ab5eaa2

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\452108e1-a1c7-4340-9d6e-58a936d50efd
                            Filesize

                            746B

                            MD5

                            4b7fd069068ffda01597797c91ec1cec

                            SHA1

                            57d9c1a40b643093032efc0fd15dfd5fe131a9fa

                            SHA256

                            220c3083dae83e3858148175d9d953cc8b9448aada20e5ed3c95cf9c34fd4420

                            SHA512

                            360ca159b0a06ab6d6388bef9ef2aedd3ac104ed62ffd4d8e9abff186443e30b5a26a7e12ac28e21940452bf621661a12e73ae81011bf632dcc8f114141f6c82

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            ac254f405543c44181ba2a0d3a1ad56e

                            SHA1

                            98be21a814e0124d6cd32e577dd7ab544ae47995

                            SHA256

                            2a3dda5ce122c5620f722f56147e4b165666c8596997ae5a9a12d14a962ff682

                            SHA512

                            d6e96895b7cb2653b6dfb2e9be73bc71d1d8f4118304ba33274606d434d896a967ce258360db8d6f013e12ba1d559b2327be0edeb53fb9efdda424b0a4c916e6

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            88de05f0136a9da28d3b42356fbc104d

                            SHA1

                            39556213080bc81ed9d02d6ac2032adf6d655b16

                            SHA256

                            8209a121859244a564756d53014137abfbc2a980195b1ca40480c235d1c0c7f2

                            SHA512

                            81574917341fad076def8b114fd97200b594b817f7c52392e19d5499d22f36be0bd8a79e15d89757118c0e795f9ca03b7e7756a2e7253ddcf815be83b6139013

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            67f25de5eae8fe81d28f57d27dffa4bc

                            SHA1

                            c6febee7436b13eb75ab7497eb0743b69d44ca77

                            SHA256

                            43f9ffdafc500827c5724817cd39bd87b109415e49af10682c39c45acae06ebb

                            SHA512

                            b0d262811998fe493d5f6f7e822c528008c5f2c350c55794884413d35cfb646a1fa44cc13049f233b43a996a8f838d42776fef474f3b6a0ee31f4976be01e796

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            2b4200024799789744d6c00164df6c3b

                            SHA1

                            485fb01d127df5b40aa5938433e712294e8d3b5c

                            SHA256

                            1283ed85a851534f495d32611c3ce41eae4ef47f04f901a933c4cce945528567

                            SHA512

                            7eb7da4f9496a923baf2183dfbd5bbd26de49d97a8873ad6ce1fabad248363f751b7f91e55af45feb30dde5e1986c856469d37e2c348a2fd30a3334f01d7ff61

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            2323eca8d54c6dcc565e8508cad0beab

                            SHA1

                            5cec5524fdcd962702d3929afe1a6923a0f75f95

                            SHA256

                            45f9422bff11100f86eec2c2641a22c38897548526c06eed67653b86c29e0c12

                            SHA512

                            144a86ff7e01a1c9a330cfc36376734566f623d35ab43f83de5499df0e0909ad9b4abfb8b5a79558a598c96e0951a18891698b06a318c3e92b087a217d3ff2e3

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            49d934804b8c878fedfd93ad26a6336d

                            SHA1

                            71f10a278354b22dfbd36f1be869455e4f2a873a

                            SHA256

                            848d940b0e222899ef71807badc238c05236a87b1c8c645b612d8c76faeb3022

                            SHA512

                            fd877dbaf8fc7a9ae1380439a3a9c837eb9d3b2f9c1aa8fdc50663ff6787042cb32c5fa9bf6918c6e96839248dfe3eaff31e03ec0d03ac93b696c57e25e89469

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            930984fd7610d9a2094fba5a7024546b

                            SHA1

                            26a105c441542e540fcbfa3981049a63f9d8bd43

                            SHA256

                            1e56cd48b6e185ebdfcd345b6c758dfa81b29dfa91741b4b800bd526b12d9d50

                            SHA512

                            94c8f1ca20f09cd1e3cc391f12a2bf58a81af862582cf6d8bdce42b680f037eda7f60ea277052e8576c450a53310b2059d5442d2086e24cf684c50c12f2077a3

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            883784ffadb0b127bc4cd886a53e6ca2

                            SHA1

                            14dec863443da97c1034787ab05ce37d7fc2d051

                            SHA256

                            72efc12a7b8cec47e10e7b70084dd7870aa22a342f37d2d9c7237c399d9443bc

                            SHA512

                            493fecaea44f0aab5b6c8c7ac42046ea7f0b8678516710bf105ca5d2dd1374310915a91686980a9cf6f4963e9022707c622b1c86b6b7183c7dfa57e791a1af8d

                            Download Submit