Analysis
-
max time kernel
11s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 11:27
Static task
static1
1 signatures
General
-
Target
roblox executor.exe
-
Size
608KB
-
MD5
3aadab23a935174d2dc8c7fd7521ae15
-
SHA1
a448e2ab05adfbab8b20d795d6c6c402b6813422
-
SHA256
19cdd9ecb2422750ed64d6be420d725d85117b9b896173a0df54afeab7b9af7d
-
SHA512
f8e20b106c4a658544e7fff4663f485c295f6a1a8fb825cb12b0bf1be040b3ada43846d7a4768d6aad6f1b9036074854b6a94185e99e65c09a1415ac425fac00
-
SSDEEP
12288:bi9vo5iJA8ANFmaXjdmXBBI3qt4ovxONhcZK/:sAzNFmaXpmXc3qtBvKaZK
Malware Config
Extracted
Family
lumma
C2
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
roblox executor.exedescription pid process target process PID 4672 set thread context of 1280 4672 roblox executor.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
roblox executor.exedescription pid process target process PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe PID 4672 wrote to memory of 1280 4672 roblox executor.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\roblox executor.exe"C:\Users\Admin\AppData\Local\Temp\roblox executor.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:81⤵PID:2892