Overview

overview

8

Static

static

1

RobloxPlay...er.exe

windows7-x64

8

RobloxPlay...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    127s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayerLauncher.exe

  • Size

    2.0MB

  • MD5

    0d27f9cb1e48cb0dd24a3c7563bb56f9

  • SHA1

    f174179176a400842251a38009ea194c1cf5751b

  • SHA256

    0dd0117aa603ef82d810ec10ca4ee6cf1fcbf8b7d9e9c0bb9562d8ad5954fb56

  • SHA512

    3e81fc5790f8244a0065f06b88772a9ea51c03698ed210dae987e3e8e475277cc121055fae771807d62bc37aa80899b216e0262459ad59bb5a84ea591d7f9aa9

  • SSDEEP

    49152:Zbc5jQt9dZ3YPw3pNO9TLxaCzaCfTjVM5PMQ3dSuUTNb6du03q:ZbJ9dZoPw3pNsZbcuz

Score
8/10
evasionspywarestealertrojan

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
      C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://upload.crashes.rbxinfra.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=3f368f2239fd95fe34aa8c4dcce2f54fa0700bce --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5ec,0x5f0,0x5f4,0x5c8,0x5fc,0x432768,0x432778,0x432788
      2⤵
        PID:2548
      • C:\Users\Admin\AppData\Local\Temp\RBX-655D14C7\RobloxPlayerLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\RBX-655D14C7\RobloxPlayerLauncher.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1080
        • C:\Users\Admin\AppData\Local\Temp\RBX-655D14C7\RobloxPlayerLauncher.exe
          C:\Users\Admin\AppData\Local\Temp\RBX-655D14C7\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=cd8f60aa5fd1b833d79957e664b9bd42f71216a2 --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=100 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x5c4,0x5c8,0x5cc,0x5a0,0x5d4,0x1f59d84,0x1f59d94,0x1f59da4
          3⤵
          • Executes dropped EXE
          PID:932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Roblox\Versions\RobloxStudioLauncherBeta.exe
      Filesize

      5.7MB

      MD5

      ed425a6350f3aa88c827a1b18900e896

      SHA1

      56c83310e81eac4cae5b55c378139e19a999dff3

      SHA256

      8aa742851be5f895d82316375efec41a7155328b35b7af6bb6bf307000f88938

      SHA512

      6b74dca519c71fbcb5b59806765f04498524d2964c8ef961813b6ff4ea828c198ab89d8ce6585097b9a6fff0b099399b2a579554b3ac0781d51f17cb0c51ab3d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
      Filesize

      2KB

      MD5

      1cdbd089dfcb9336cceb0e56e816580a

      SHA1

      4ed213ef423e682c031419b16d24dc4bafb95b2c

      SHA256

      939fce76714a5874729618de5fc0a9e2b2c6c7da35f7d0128a6be705c603939a

      SHA512

      71bba557a607e9916d60d3bd27c9a10f7613ca8242ba2d11e224228719a02915f83f2c4484d5e408a8e4110590a1cc335fb17c7915e4c48522a4ec9fa99e100c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      1KB

      MD5

      b54ee3141b59659af5e3f171445c5ece

      SHA1

      a63857f696eca4e315360dbbfeb2b3f83421b359

      SHA256

      f1b98092b580635f43d37e747b963bd80f39efbbe414633290c1be160c5ace1f

      SHA512

      66c1232d177c4352291f2edfbd051b40d6164c7cb7f87bc6a07408df90d53a90d67ef4f235f9ad99ab6dd3ab78cfdfaa5e5fb55b52939c3174e44cd8c4b7480b

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      471B

      MD5

      e5e343afcb5152eac498bc1d521d28a9

      SHA1

      c108b446b00635968234c9f3d06f2656469cbbb7

      SHA256

      df5318b80304d76b3627f505533ae0f54fe21aacc2febedf0cdc2a50e9859c7a

      SHA512

      bfff46f019b3023bef17c38a3fd9c30c0cab185bd8238d54a37c7438c73afd84a7efa44d1d541d49c0bad87780b9ab0475063168b78cc4279955288e7b1d07fa

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B
      Filesize

      488B

      MD5

      8b344cd9481b3d36fc66a8c0adbdf31f

      SHA1

      9210657faf0897e1cf94f9967676b3749397f2de

      SHA256

      7517e360a72c5cc3dc15826f5e1db87749f858755fa136cebd74400dc0a71e0e

      SHA512

      5c62b5c4113dcca31defc63662aee05ca31779e42945a5dbabe8b06a5f52f7288f8c413846ae52d36bfa1fa401cace08dbc19e766b7c405a3c726d045bb7605e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      433800813ece523550d9784d8f90d568

      SHA1

      1dc24f3155b71901ca6820c21bc47f1b05c203da

      SHA256

      265d2b96917762715a8c7993622dbdfa6388ac81c1284cc8bddf3d6e257a3ca0

      SHA512

      615f289f5e93c075b6ca40c6b9bcfec6dc9b89338f3cc279a4e43b155553f20d82fd5c214aa6552607f36b09dc85da6e920b9a115867005854b3ec8295ed1924

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8dbe7accfa3c1d3a151c72f13ae37561

      SHA1

      ddc7cda233ce27c445253a2c82676fa1b5e4fb5e

      SHA256

      608b6a40932822f3c4add831f79d4e66f760ebfe230e6c0209de734ad29e258c

      SHA512

      1f6aa64cac009845d11e1843e991a834cf1abdeeba3fa96d2e62edc2c7c176aa3098ecbe8aa357b00aab2183d5fec61c1dd1919a993166e9744b5268d10bc452

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a180643bebb9ed31f3cd50065552e0a2

      SHA1

      13b03509ec04947fdf0b9abb466afea70ae8c7cc

      SHA256

      ac7e3705b56c95279867ed250dbb307298dc24b384f8ad5b177195a1a7991f9a

      SHA512

      784b7f3b9694328accae1165714e3b676fc27cf3e1fc337a3835a633d21851db4837f713dbcddca54178ca07d267d76e8313429891851c8db515c629e740f907

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
      Filesize

      482B

      MD5

      3fc1739459bac754be3818bb2bbdae0b

      SHA1

      d8e0fbc91012620db082156acfbcce3479195903

      SHA256

      e3f0e96b80b2a643165bd502bc09916bc000a627224b710c8fa9d81741e215a5

      SHA512

      4a248386fe4eb72c0faa917a31a82fbabac6487b23b12018b031fd98ddf4a3818e58b7851ef05f5fb522553f14715e243570aa53539b8b46f614bfaaad5daf06

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
      Filesize

      400B

      MD5

      68f1416700dec6e81a5c68b1b507c8f6

      SHA1

      395157014bb5e00da4f4397da4229a7484d84384

      SHA256

      eda0f5313035a2481c4f6c256ddf3edfe70930227bee66a14e3113b8d60cc232

      SHA512

      948857c8db09c85ff5a72e386fec3a26f8501ae8891f6923267e427d3c65edf73d5f9d49e7b2306a63748c53cc2432fdd81533352f37b064ed2d7dd4b1346234

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\WindowsPlayer[1].json
      Filesize

      119B

      MD5

      34b1d395262468fb7088e8cad2cd1977

      SHA1

      706ef02df2db1018e1cd7ba2004239e69b599ae0

      SHA256

      d3a13ce10e7a1cce7b463f2d12242429ae44a99cd978988026566fc264db30b8

      SHA512

      45902a73b1bc4a9bc01dc1cbfb291b14fae862db56d1a47496d9a699a89e6371dfe1c5199deae8031d245305dee4931786445c016c9f1d2df405be0fd97213cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\PCClientBootstrapper[1].json
      Filesize

      6KB

      MD5

      e8ec9994359fce0fe3fd68757a2027c3

      SHA1

      32bd982b0b4ebb47de7201e939d06e07b2cdbf52

      SHA256

      2a74c82289a4ed01f5594aeaf9312ca5acbe4e97d2fcb9d17a22aab6564f6037

      SHA512

      dc36dc2a4390d968deb85c706488584601e5830d25926fe5a03202a9018388844ecb2637924f2c001560e104bc6136866be767cb6d11b11b4f6aab0a9c2b1249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\BatchIncrement[1].json
      Filesize

      163B

      MD5

      bedbf7d7d69748886e9b48f45c75fbbe

      SHA1

      aa0789d89bfbd44ca1bffe83851af95b6afb012c

      SHA256

      b4a55cfd050f4a62b1c4831ca0ab6ffadde1fe1c3f583917eade12f8c6726f61

      SHA512

      7dde268af9a2c678be8ec818ea4f12619ecc010cba39b4998d833602b42de505d36371393f33709c2eca788bc8c93634a4fd6bec29452098dbb2317f4c8847f6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U8A9A2DI\version-0a57b2f24afe434b-rbxPkgManifest[1].txt
      Filesize

      1KB

      MD5

      dd87ce11d5ab4a8f6db8cce82eeac88e

      SHA1

      8e12fc130c2d41ea43edb4d1c241ac172ba2194b

      SHA256

      176bf2b7635caeb5e4305efae328c694bf57108bdb6cbbe85e97716782789d47

      SHA512

      336e847304dc736089a16ebd3ea7a91214e38f73f74ad1866721447b53b675ccedc98c4e46f587e15c67455e75622f74d3a6e43ddc16027c31171ea6efd50149

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Cab91C4.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar93DA.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar95F2.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\crashpad_roblox\settings.dat
      Filesize

      40B

      MD5

      91570da6ebaf6f63e8459696c803ee96

      SHA1

      6d3a5c295d6bbe60568f60375d981d86a80eca75

      SHA256

      46abf4001d1d50e7107db6edb24937617b5cf03ec54af94ebfcd56835e48665e

      SHA512

      dc24b05ede99a925dc464fab1b50a995f21f3e5e7d69abba2727b137c6e5bb28f6586a852a35aa35b265c09488c7f996e8a8d3188c88856f8a5d163adb177ba6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZTU2U65V.txt
      Filesize

      156B

      MD5

      f1eba4ed057cb723e2817fa566c3fd01

      SHA1

      b964e4729614b9a371491a5497b6f76cb21f3a01

      SHA256

      28aea435a8ce6ba246b2871e0dd9aadd6a843152fa2a06ca7a3827afce030dbe

      SHA512

      670c7c687ffc5a2afc444ae0f0a94d25694bdc602e4b6323368e79f02e53f3abe1c69df67b614050abbd39c0fb5f5a9e08ef8c25827da68655370adf95372476

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RBX-655D14C7\RobloxPlayerLauncher.exe
      Filesize

      5.7MB

      MD5

      938199ca646378b696716037afc964ba

      SHA1

      2d865bfeccf3badef2f64e5d6453e6ab71d5f5a7

      SHA256

      2acc3e0879e4a71a6b08e2d6af7b238198d2eda73518b9394d82d00b010c9d7e

      SHA512

      1a37727c5dfaffa3023845592b400acc226face537176064698b8415d79284b6276fe68bf0e5870dc8898a846f923bd95eaac1d185613759ad6ca1068456b322

      Download Submit