10d7316ef9c54377354243744d16882e92cb97c4310eaeebc3f583abf5f9214c

Analysis

max time kernel
1385s
max time network
1172s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EraRev_Launcher/Client/RobloxInstall.dll
Size

210KB
MD5

e9e2f3e90d8560ef82aa7008270980ec
SHA1

3568df5cbe620999fd8af5312efd6871a8be26a2
SHA256

ffe76f466744b2e3b1d92a8964580c2368a6a928c79fc360a53bb727ffca86b6
SHA512

5446d242ff280358a8bbac63697f1c95f254f8d41e665c011fb038782290d1f3539643c7954b1dc2f060f79ab835985067318f5c70a5908a79a730335d67695a
SSDEEP

3072:7Kvghh6oCowEhN+QNoPje17rUpeDGxAtwKfhsn0rbIzSHozvSuKn5EhS417PN0:7CQhmuN9Ncs7rUpsjwdz+OvS92hDPN

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\ProgID\ = "RobloxInstall.Updater.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ = "IUpdater"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater.2\CLSID\ = "{78CCC0CB-D407-4C3C-8821-03CA170DBB41}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\TypeLib\ = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ = "_IUpdaterEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RobloxInstall.DLL\AppID = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater.2\ = "CUpdater Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater\ = "CUpdater Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater\CLSID\ = "{78CCC0CB-D407-4C3C-8821-03CA170DBB41}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EraRev_Launcher\\Client\\RobloxInstall.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EraRev_Launcher\\Client"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\TypeLib\ = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\TypeLib\ = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\TypeLib\ = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EraRev_Launcher\\Client\\RobloxInstall.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\ = "RobloxInstall"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\ = "RobloxInstall 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\ = "_IUpdaterEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\AppID = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ = "IUpdater"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\ = "CUpdater Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\VersionIndependentProgID\ = "RobloxInstall.Updater"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\TypeLib\ = "{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RobloxInstall.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RobloxInstall.Updater\CurVer\ = "RobloxInstall.Updater.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78CCC0CB-D407-4C3C-8821-03CA170DBB41}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0F3E777-8387-47FD-9C62-135D442436C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA5ADC94-A8B6-45BD-86DC-1563A37BF1B1}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8592E7EA-6A7A-4B71-91F7-F12B56D06737}	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 5116 wrote to memory of 936	5116	regsvr32.exe	regsvr32.exe
PID 5116 wrote to memory of 936	5116	regsvr32.exe	regsvr32.exe
PID 5116 wrote to memory of 936	5116	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EraRev_Launcher\Client\RobloxInstall.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EraRev_Launcher\Client\RobloxInstall.dll
2⤵
- Modifies registry class
PID:936

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads