Overview

overview

7

Static

static

3

Anti-AFKforRoblox.exe

windows10-1703-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-05-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anti-AFKforRoblox.exe

  • Size

    1.6MB

  • MD5

    da52b8940345fab461050501ea9cd1c8

  • SHA1

    c663de3dbfcf11f754c0c32ce6ae9a3782cae4ac

  • SHA256

    3e6d8273c67fac733200a771f708887ec88fa51a8aaaf58fbb3e44c77e8395c4

  • SHA512

    f43a624a8f02b8119a86500f6c36e1fec30224a9b4812e2f693bb10b2646beee08a3d38be40073626c7294626314c9d50af094bf4adddd5e8ebca8deec9fc401

  • SSDEEP

    24576:p6T8Ujl6vO01C1GCTsYoQZtlsZdc40QDrUYuGG1ihTGTTi0C1bUCALmSkSCkxZWY:7TUwTGTT2ArPkSpxs6/Zb3yBtq

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 31 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anti-AFKforRoblox.exe
    "C:\Users\Admin\AppData\Local\Temp\Anti-AFKforRoblox.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of FindShellTrayWindow
    PID:4384
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:520
    • C:\Users\Admin\AppData\Local\Temp\Anti-AFKforRoblox.exe
      "C:\Users\Admin\AppData\Local\Temp\Anti-AFKforRoblox.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\horizonpublishlauncher.exe
        "C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\horizonpublishlauncher.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\Information.exe
          "C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\Information.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3780
        • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\wait-till-open.exe
          "C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\wait-till-open.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3808
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2820
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:4560
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2528
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2228
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\Information.exe
      Filesize

      1.2MB

      MD5

      6e71f504316de1b26a8bb0c49141e6d7

      SHA1

      de0fef894baec107feb1153df44287a80b995414

      SHA256

      d9989750e1ae77bd722103421d3aadbe0706d4040e57149b0a142329571095c7

      SHA512

      88e5c3c1d1445f56d23cc2d2029faa3cdeba68a16a9f88e9884bab338113fced9de18f2e0aa82b1268fce6e9d64e1717c39e07118290599de0333cbb9ef6ecff

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\Opened.exe
      Filesize

      1.2MB

      MD5

      148d7fa9b7e8abbcad1986606579e94f

      SHA1

      94ac4b7eb545f489523c93c720123924ea4d4e42

      SHA256

      18e12b2eff723bf5f848d664e1e53e3e0579a77b750cc5fd3fd25198223820cb

      SHA512

      c767daafacdd790df3ead7f5344ec7c695eba01b7e402d1e6878446b79a93ac7e0d17cc4b2fb3c34a2c56824d2d90ce3db08de30a695e32fa3531a894d7382a6

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\favicon10.ico
      Filesize

      14KB

      MD5

      81358ffc87fe352a00dbf9ebb75469c3

      SHA1

      944e65ebd5c374651edeac8450420b6909461286

      SHA256

      4e64b6092198df7990013cff342da6003a56468ed74f87282d3bf81e7b33f29e

      SHA512

      d3e48ef80a618fc0895d9ce085e72f9a6a101e089f7943138c5e023d1597c1593f09016d0b3e795334aa340b4f772bb53522a0d7e337930fed47d1a2cdcbbae7

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\horizonpublishlauncher.exe
      Filesize

      1.2MB

      MD5

      de6328aa6ffe30ff5d395437f4a9ec69

      SHA1

      78352668c7a571036873fc7a92dec3ed4f517034

      SHA256

      c671b412fcec433e96ec1474f02a806fcdda28d7a555ef9b48070e5db22aaff3

      SHA512

      39273c96f985d645757a68b994951043f24ba666606c9271858f8e5b23b060ba149c7bd1302302499473150c186ee1a05e09cc799926ee3d120c2aa9968ddca5

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\first-download\wait-till-open.exe
      Filesize

      1.2MB

      MD5

      a2cec08e4e539ff21ca72065ad43a190

      SHA1

      9e4ff4f0b0230e2053931efd1334613d1c694421

      SHA256

      cd922bc80d6096b588805fde60fd575ec656533f7da49654f4624efe2a38a4e4

      SHA512

      5a5a0dafff4d9379622df322e1896510ccd8e0ad3c5dc87b57fc844a2cb162c23ad245d3e287bce7b2fb4d6e6ea748f7dd28f1098ded135f8dfdcf800799bd6f

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Anti-AFK\horizonpublishlauncher.exe
      Filesize

      1.2MB

      MD5

      45ef3f3d63b0dc1f691f3bd14e207a19

      SHA1

      e13940578da413a656e357d3191654e81636b4ae

      SHA256

      2a99c31d99114254ede031b1150642e990210f4a33180e930c0794caed0c767e

      SHA512

      367fd1444853a364b4fcb634e00fc66b711cf1b5d7212499e16b46237443839ff9f8e1ce017963e07d2726fe0619692f005abf34d0f6ffcba79ec5f087cb33ed

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Remove Anti-AFK From Your Computer.dat
      Filesize

      4KB

      MD5

      87cfeb7644f6da16baf20e486776932d

      SHA1

      1486830da17719de2416f4a0851b0716c3e1a219

      SHA256

      901af07bcf6b1a5bf308232388666ef4533e32bc4e1acad5ca1c10261141c612

      SHA512

      a398b45dcdea6ab30dfe52e4b6e4a4ec063c85db5459964103b5b698a6e27c699ffee45792b2b59989eb73a83b8ee670f6fd94fd7c5c6e7dbb1ffbd67a82cc92

      Download Submit

    • C:\Program Files (x86)\HorizonPublish\Roblox\Remove Anti-AFK From Your Computer_lang.ifl
      Filesize

      2KB

      MD5

      2922d0c758d9c3c10cbdc59f91979d0c

      SHA1

      feb69bdf58d06cca776db63036811af0764ca013

      SHA256

      20f6d12eac29bd6ddc6a99dd276c5e200fac25c976ab4293195b58ec164c253f

      SHA512

      d15e888bae4e23ce5d61becc3c47d9b5f61fbbe4612cf90677314570fe1df1f4fde6c519b789ad46cc50d19c2b3701bc9bd968e85bb618fb7127950d4ae92695

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HorizonPublish\Roblox\Anti-AFK for Roblox.lnk
      Filesize

      1KB

      MD5

      f45cacc71668dccf4e80609f0d38516b

      SHA1

      d629c815082b619dd4dc9bbaf5ca8b72c8198609

      SHA256

      0005786b7522cba7698da0ea24c5ec511f80666b87c43a4becd087b2667e955a

      SHA512

      12bddff03f108bfa3caebc0aa7fb0a959f78b68829dba989d3e59da07bad6b14fb686509841b92251f91ca2bcacdbf4efba3fb2d3ced934c81dc13ab38ae486e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\Desktop.dat
      Filesize

      68B

      MD5

      18c2c547522bab9a39665a083bbc1f9f

      SHA1

      3a731fe3948c564fedfbfac3816b3e15a529683d

      SHA256

      818e30095e1e3ae3568b16e7e11df6f477a362911698525b2846a9514592fe89

      SHA512

      df77412342b44f5bc187ab42be8def4e769dac3c75d8967d39d46d7c0c50784f99f29d9117908bb337f1e0e781aba6b7e4f269d93ca48c13fb6d9a4b7c96f56b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\OS.dat
      Filesize

      194B

      MD5

      6720b01a0ad716bd2f8f7c67a0429029

      SHA1

      95558d9c17f4b41d1b76f7b9f4893ea803b75b76

      SHA256

      c195a140f6e79b1791e126a3a27561d74971b035987262eec9204ea265335c96

      SHA512

      d0612675ccb00e5c0f910589e1f1e5e1dfd4ed3f4016f5755c6b3a95a32a8c59d28c103bfd0c0b3174696729f1699b44be2e47021114f5d21d8456e2e21d4d9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\SC.dat
      Filesize

      976B

      MD5

      c2b7dcfce7128d2334c1894ba17b1370

      SHA1

      675b03702d9db7372318a67261452f7f500edd20

      SHA256

      eb8eb536fd2f21f97289f4cb039b22d1090f6d28dc1789d79f27f5fe69aea607

      SHA512

      e838b4d01199e505a1420919a7d5cd690b5b11ebfa81130d93c44c4015ba517684da34a5543e04fa8f3de64de892e1b7db36ba83c92cba7432d7a816c7b1ddfa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\Startmenu.dat
      Filesize

      79B

      MD5

      abb414c3df1357f1f7b594ba88fb3b7e

      SHA1

      0246c5ae788d399cb26b904e09b2ef217f0990bc

      SHA256

      6f60657dd5e30b69df37e92c613efa640b7e8eb076f1dafc0d6891a42cf206e7

      SHA512

      db45f53d83258a8e87e5ef7b6902452e411079aa0d3511bab2f11e7afaba587ae24419e5b1bfe4071882291b86188cb71d175caebe0ab773209a2f19ef5cce42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\headerImage.dat
      Filesize

      14KB

      MD5

      5c6627e49902fd9698d4c4c3a39e7979

      SHA1

      3c4a51826326791ceed18dca56821385fc9d9ab0

      SHA256

      5a60e44ac5a1eb2cd8a3927d34329fef1c941d58de4c99c538f9f8ec4cc82a58

      SHA512

      c2f7b2719291166acb56c1b81bcb94517b168c2b697b4a9b4f010e8e27f34e92ec97d60ed61a661291c00e6cac14f33fb462096d491b497233e3e3cbd8521c30

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\languages.dat
      Filesize

      28B

      MD5

      0759f965f825e7bd9de00ebbf55c9c59

      SHA1

      1e7544ac7df2592cb81fa51ecc6a35c8f850b1f1

      SHA256

      20cfc5eaddb2ee414017cd8451e7496fb556dd5e49c160d7bbe2b34ac994b6e1

      SHA512

      06104675d0d6181a22ee8fe17f0c28f2beca628272d1d76f938b7d552a4a89d0564388c3b1d4ca9df29b115d50f5c64e63f7795bf33ec3bef5a483828feacd61

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\licence.rtf
      Filesize

      443B

      MD5

      422f86d9d01dec81190ecba8a0af276a

      SHA1

      012c8f98a9c41ed415c8e54d5e0ce3bc33a2a815

      SHA256

      e4b4459fdf8e0f8b726123d288a9ce836386e6f53565e3e5f3ea3daa73ea5ea7

      SHA512

      109fc417576ab07e01a0155de537df274ba9d0121247d8ec563fa1784d8f63376274a9d87952ebe3b2e6a0d7a715033fb4ee7f914988c1d20e1bfbc106f6fa56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\setupArchive.archive
      Filesize

      785KB

      MD5

      8e0746bfc71c4ac8e9ce238b664b3fe0

      SHA1

      13d559b8a2e6b06f5fd54aa20b863b5e58fb1128

      SHA256

      4d032c3bb8ec41a65a0ff211db345b42f625d4bfb636145780d98be55407a891

      SHA512

      55aaf45ebe55130d09765205f7db744d3886ede7b6455bde16f66514b2876d6038d2575478a8a4afeb740750726d9bedcf0d7d40c86ba7bf4b4e42100fe50895

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\setupConfiguration.archive
      Filesize

      37KB

      MD5

      d4c5b1bbcbfc63a051a3570079f8bcfa

      SHA1

      f9b52ea996659a8d22b6214662690dbfc6ee74e6

      SHA256

      f32b554a608f96b11ad70da8699a1eb7f575ea5843987b7b89140cd9e456c4e2

      SHA512

      7d7646b7d5b633c79b02a52208be3dc4a1ddef6f112d9d99bc9f68d9497a798b5d45803613766cd5fc220fcab1f56e9b3aa0d6c57c8ed8373c701070fc231501

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IF{DD6A5E8F-9759-45D4-895F-19FAB659D18D}\wizardImage.dat
      Filesize

      28KB

      MD5

      4113672c304403c261c91f10599a49fc

      SHA1

      dfeda57d7b7d6b46efa95608412e3c5d2ef8b27e

      SHA256

      0fee387af68d64a4c7bce5218ba94542c682050b171ccecb45767c1c061e9423

      SHA512

      b554c9c94071346167115bc3c975bc22dd2e64d7b10ff9972e62fb264d4e25d5550eec7c3946a18af7a865024ae83c4aa0d824c0937c765be75344f5cd260284

      Download Submit

    • C:\Users\Public\Desktop\Anti-AFK.lnk
      Filesize

      1KB

      MD5

      1ad388bd33870206142e23ca46ed73b9

      SHA1

      3b171f6512306e8c9e5e946775c009ef8966104c

      SHA256

      88e9209346d4125fc1e7455a8e7afe21e4af6add40ceaf983872143dfe47d552

      SHA512

      e5991932e4403b9cc1f64d9a76537f130609b385fe8ae763d28f2cd887a6e72f60925cd1fa0bff19e07e0a74e1d9407b56e640711892b96fbc90dbd827d0edae

      Download Submit

    • memory/1728-247-0x0000020D50630000-0x0000020D50632000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-250-0x0000020D50660000-0x0000020D50662000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-241-0x0000020D50530000-0x0000020D50532000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-243-0x0000020D50550000-0x0000020D50552000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-245-0x0000020D50610000-0x0000020D50612000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-238-0x0000020D3FE00000-0x0000020D3FF00000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2228-215-0x0000021DDC080000-0x0000021DDC180000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2228-216-0x0000021DDC080000-0x0000021DDC180000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2228-214-0x0000021DDC080000-0x0000021DDC180000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2820-206-0x000001CDEE2F0000-0x000001CDEE2F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2820-187-0x000001CDEF120000-0x000001CDEF130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2820-171-0x000001CDEF020000-0x000001CDEF030000-memory.dmp

      Filesize

      64KB

      Download