Overview

overview

10

Static

static

1

URLScan

urlscan

10

https://roblox.com.p...

windows10-2004-x64

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 21:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T21:13:21Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_6-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    https://roblox.com.py/users/4182356941/profile

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://roblox.com.py/users/4182356941/profile
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94e7346f8,0x7ff94e734708,0x7ff94e734718
      2⤵
        PID:2224
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        2⤵
          PID:1500
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3184
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
          2⤵
            PID:4236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
            2⤵
              PID:4412
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
              2⤵
                PID:2468
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                2⤵
                  PID:3032
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
                  2⤵
                    PID:4372
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1520
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                    2⤵
                      PID:2060
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                      2⤵
                        PID:1484
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
                        2⤵
                          PID:5400
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                          2⤵
                            PID:5408
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=2796 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5168
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
                            2⤵
                              PID:6032
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9486215077545465926,18067498853097871751,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
                              2⤵
                                PID:6084
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4652
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4572
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:5176
                                  • C:\Windows\system32\LogonUI.exe
                                    "LogonUI.exe" /flags:0x4 /state0:0xa390e855 /state1:0x41c64e6d
                                    1⤵
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5900

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v13

                                  Initial Access

                                  Execution

                                  Persistence

                                  Privilege Escalation

                                  Defense Evasion

                                  Credential Access

                                  Discovery

                                  Query Registry

                                  1
                                  T1012

                                  System Information Discovery

                                  1
                                  T1082

                                  Lateral Movement

                                  Collection

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Resource Development

                                  Reconnaissance

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                    Filesize

                                    330B

                                    MD5

                                    f82ee7c952cccb3603b11c227765af17

                                    SHA1

                                    2e58b525881f949a2963749a24b961d3d2327266

                                    SHA256

                                    7504bb19f8c53ebef4e511cbcea9dcc1ac86d891e475361bd5cd0521c2f84e01

                                    SHA512

                                    07bc76fa5b63fb6660b8a05178a64ee7772126eda3aac881962a7632390c7de78a0266d2b400d11406a57379755d68a527adb0c062663145e075d5534bc641ca

                                    Download Submit
                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                    Filesize

                                    330B

                                    MD5

                                    a017a80093eb59e3560511554b20892d

                                    SHA1

                                    bec54257d3a840b5565136a17b09adecb5e32510

                                    SHA256

                                    d6d66766f6cb4c66fb0b8e73207528ff5c67145f6783a6e104712a5226b5ff96

                                    SHA512

                                    303c66abfdb54aa3e4233a1b00343b65ccb2904c34fc44ab4c99ce49d0773defa651a9b823320f758d7cb8cf8c90b7b727d3c8155420643c0f3e6757815b45ae

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    e36b219dcae7d32ec82cec3245512f80

                                    SHA1

                                    6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

                                    SHA256

                                    16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

                                    SHA512

                                    fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    559ff144c30d6a7102ec298fb7c261c4

                                    SHA1

                                    badecb08f9a6c849ce5b30c348156b45ac9120b9

                                    SHA256

                                    5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

                                    SHA512

                                    3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                    Filesize

                                    3KB

                                    MD5

                                    b3f71ff6a62c816f90d77c545fe4f74c

                                    SHA1

                                    49a852150109f8324798056c6223d162ed251e07

                                    SHA256

                                    8d2d732090c32e3a119253d6bc39c8bf709b688e7953e73e9a05c9e98ddc55ec

                                    SHA512

                                    70d302f82509958b255b6a4511bb46eb876c95d7539d52bffb390e6431576f525c51f905df39d81770859962da4aa9009f2b613691eb896a51c85f42a6a950ea

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    7KB

                                    MD5

                                    5f2873a6a643669a000488992df7bcba

                                    SHA1

                                    9985c254702cb78dff0f79f15427313e7faa4787

                                    SHA256

                                    413be399ecc222dfe4ba856cdbaffe5aad0271593657a43bd49a2a650dbd071c

                                    SHA512

                                    11c420760b70570aebc639b02f48951e956780c647a0150816611fda789befe5b934bf0f7d9e56210a066026f40eb12bc9e9168f5123c704542d7f16deb59e67

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    019b20fe794f4eeb15872fdc299d1a0a

                                    SHA1

                                    fa89294de268cf12c513793feec54f2d401ae8c4

                                    SHA256

                                    eada844837a7eaf9783e143a75afef87bec81c087ecccaf4634e22ec084759dc

                                    SHA512

                                    e3a734b57099853bd34a93c396c27fb3900b9698b0fd98c236d02f3356689a7ae39372039dc778c553704ef025877192c4444e32fa66785a1d447a96d7f4f763

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    7KB

                                    MD5

                                    9404d464be281a5623145cbfc138c947

                                    SHA1

                                    80bfbcb9d7928fd7e3c27bc52a5b13caacef17d9

                                    SHA256

                                    5d69a6660a168e8249c8cf1c248704d9cb22f3b571049070f1c289ce14a8ac6f

                                    SHA512

                                    f2ba249a98887d4bb3fe4a5e4fc6483ea5dca676cc459b838810d6183edf9cb8cf46673f2a8d7984f2338fa66a832e642146c41f9603fc5fd456a954ca94f7cf

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                    Filesize

                                    2KB

                                    MD5

                                    957df92255a316ae36cb2e0a9c510481

                                    SHA1

                                    5bf435d8fa0042d44acac9be43f7aad5722e4cef

                                    SHA256

                                    aa200e7f9b894dcf9c2e3c95f054ef1c79a0949dd4554e873013305360394180

                                    SHA512

                                    c440e1ea85d75f72614bc2fd25003289ecddf9c146de8539cfe6f65dfa8fe682de9643ccbff2686f50017b745139ddefc5c7f0cb0abdf5ff5711ca9b7776359d

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                    Filesize

                                    1KB

                                    MD5

                                    7190b14e744ac22fed64a71da2583478

                                    SHA1

                                    8fa564c647d00efca9dc8486d332567f7c6a4d33

                                    SHA256

                                    8ae1eb5f88e910a31950fe352c0100fad093207f2e91718a11dfa7247f8795f0

                                    SHA512

                                    eb3b9b22a198f5253873784ed0302267038ec1408b2336c5427417993bf8d6bf973566b1a950c9b98a9b2fd3f7225bb0a4c32728285f3275325ae9ae8b4deddd

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                    Filesize

                                    1KB

                                    MD5

                                    4ae06f8e436f82b0cbb95f1a9686b874

                                    SHA1

                                    89f947b33e5b9d3cc6431f3278c144d6145ff12e

                                    SHA256

                                    e469d0b05842cde026a809447709673d9766fba566745911d06fdba8573ab5ad

                                    SHA512

                                    2702d450e4c33a5ac4bf4a26594026573f9b0ca60f59cfb81119f7db9f18b7b959384de939f658e451d8359e803a011393bae1d0e34b256734d1eb7983e425fb

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578dc9.TMP
                                    Filesize

                                    1KB

                                    MD5

                                    59c8ef1867eff9b5a908e87d8589550e

                                    SHA1

                                    6e52ff128aa662c30a06ec705acbee0b32d2a677

                                    SHA256

                                    35d1db6a2c52f78f594687f415107c6cc12fc7e77813d66a9a65f987e67ed4b1

                                    SHA512

                                    97824392eae8fe11a3c33a8b21b2c58c850c011d8dcc80e91e2cc598bb43e7971ab4b1fa44b3ad9617772c8189e0df1ecbc41495dedd0e517270a26ded219f8f

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    12KB

                                    MD5

                                    e3284ac956818bb969929dc595212d2a

                                    SHA1

                                    beaa554b763da9c63d6fb99dab618a3c79f984cf

                                    SHA256

                                    94dd445942ee64b5a4ce2ac0dbe9dd1a0cd050a0e27bbb4c71675afe5fd62f0c

                                    SHA512

                                    bb232be371bb3510827219ed9d4693af0117a1107150a9216cd83f5c3b3e5f6d19ebbd9012a93e8ae610e49014649d5864824dc5a8fc84b4ff0eba12009e6e6c

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    d824fe4ce7230b62b9351596f5b08168

                                    SHA1

                                    23c6cb389abd5c923d6c7594b61e774bb00bb0e3

                                    SHA256

                                    8897cdbf9317d161a72d8a8e82638b7bfd0cfafd539ff533279ab4c7f83009c7

                                    SHA512

                                    e69e459a051ca3f6aef6710a36b1e1324bed6f4913db2f5b4859bea44bbad98d60637a480fdbfd12116bc9a5f900f894fd5c0852eff3036a4264d41afb35c38a

                                    Download Submit
                                  • \??\pipe\LOCAL\crashpad_3360_EGQBVHHBYHCHBBHN
                                    MD5

                                    d41d8cd98f00b204e9800998ecf8427e

                                    SHA1

                                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                                    SHA256

                                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                    SHA512

                                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    Download Submit