General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    1.6MB

  • Sample

    240419-vebdcshg87

  • MD5

    df3c89248671866cfb9e0a407fad20b4

  • SHA1

    2258e20671e6aaba8ce75abb5bc5bca8c4df0035

  • SHA256

    93580834e65af2f5a83aacef47a1ec3ef45fc6ab9683ec4df771bbea713ab38f

  • SHA512

    f6658f2653aefebc573518773c97319d87d70cabeb182cd622a5722d4df0417df17318f4b25b7929ab03e982a072e914175971b96e205356c5c6a23a3fedaf01

  • SSDEEP

    49152:NmAhTN2Q5MmBRS+qYNS2+3njUrG+TvamoGXtTOgM7PMQpdAUFTHrPHHoV5N:gAhTkyZBdM2+3njUmrPHA

Malware Config

Targets

    • Target

      RobloxPlayerLauncher.exe

    • Size

      1.6MB

    • MD5

      df3c89248671866cfb9e0a407fad20b4

    • SHA1

      2258e20671e6aaba8ce75abb5bc5bca8c4df0035

    • SHA256

      93580834e65af2f5a83aacef47a1ec3ef45fc6ab9683ec4df771bbea713ab38f

    • SHA512

      f6658f2653aefebc573518773c97319d87d70cabeb182cd622a5722d4df0417df17318f4b25b7929ab03e982a072e914175971b96e205356c5c6a23a3fedaf01

    • SSDEEP

      49152:NmAhTN2Q5MmBRS+qYNS2+3njUrG+TvamoGXtTOgM7PMQpdAUFTHrPHHoV5N:gAhTkyZBdM2+3njUmrPHA

    • Renames multiple (78) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Browser Extensions

1
T1176

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

5
T1547

Registry Run Keys / Startup Folder

5
T1547.001

Defense Evasion

Modify Registry

7
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

System Information Discovery

7
T1082

Collection

Data from Local System

1
T1005

Tasks