Overview

overview

10

Static

static

10

RobloxPlayer.exe

windows7-x64

10

RobloxPlayer.exe

windows10-2004-x64

Analysis

  • max time kernel
    80s
  • max time network
    90s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 01:55

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RobloxPlayer.exe

  • Size

    78KB

  • MD5

    8f3d0d4044ff8cc1d847687568c91e14

  • SHA1

    fd9049e0e5c074603b78a2aea228b75e4ce6c099

  • SHA256

    1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0

  • SHA512

    afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY

  • server_id

    1201970766531530822

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4744
    • C:\Windows\SYSTEM32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77RobloxPlayer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:5568
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.0.812847443\391642696" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76573fb8-dc08-4b40-a211-765e86edded7} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 1864 2282200f358 gpu
        3⤵
          PID:3628
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.1.1009662055\1250891115" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08181120-d5fe-4ef9-809d-67345d6cd1d5} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 2436 2280dc87e58 socket
          3⤵
            PID:3056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.2.1113357240\426961179" -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5319df9e-5cd3-44e7-8884-245ebcc28b6d} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3040 22824f0c758 tab
            3⤵
              PID:4480
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.3.1603646585\1294974818" -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 2776 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55a91f6-742e-447a-9905-d2a9f1c6e915} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 3888 228269e8858 tab
              3⤵
                PID:2076
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.4.1348610274\1275005946" -childID 3 -isForBrowser -prefsHandle 5048 -prefMapHandle 5044 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23ef4a0b-507a-4ed4-996a-89ab8ccffd3c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5056 22828797f58 tab
                3⤵
                  PID:5516
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.5.879069292\608113738" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcfe6fae-efed-45a0-8b80-b3ecee5c473c} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5192 228293af658 tab
                  3⤵
                    PID:5524
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.6.1790575598\1321436996" -childID 5 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a15c9a9d-7668-4845-b42c-0af3ef36af01} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5368 228293aea58 tab
                    3⤵
                      PID:5532
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.7.1365149616\1803517942" -childID 6 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0e9f910-b561-4326-bd3b-20cfed0cb8e8} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 5832 2282904c958 tab
                      3⤵
                        PID:5784
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.8.26852645\1554519528" -parentBuildID 20230214051806 -prefsHandle 4744 -prefMapHandle 4796 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {414f0524-512f-44aa-8304-bd1a30b60241} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4880 2282a89d558 rdd
                        3⤵
                          PID:1332
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.9.200443719\261598553" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 5792 -prefMapHandle 4816 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d85b1d0-31bc-469c-9d0e-6fb93f56b054} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4828 2282a89e158 utility
                          3⤵
                            PID:1620
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1548.10.1250681009\1018295916" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 5848 -prefMapHandle 4744 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee94cf2-c413-4c1d-a3ff-1c0816700a02} 1548 "\\.\pipe\gecko-crash-server-pipe.1548" 4176 2282a8a0e58 utility
                            3⤵
                              PID:4112
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
                          1⤵
                            PID:5420
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x2f4 0x41c
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2036

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            28KB

                            MD5

                            ecca7c11c01b1ac61ba7a802efd9c37a

                            SHA1

                            d1790c4e168bb7e0100338780c3029bdac9963c7

                            SHA256

                            1af9c55ebe334e3c8ea053a13ace6c0f804686ca33a3af501a832333a3ad33f9

                            SHA512

                            31edee9d59a29342411a0073bcbe5d6e719f2540f0fb464eba8217f2549e907c7fd9d3f34e9cc2b948865ca696b3e88b1a4d21e23599a0b6ba192030f887ef45

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\1BD06364B17F941101FCC95275213BEB65016BDA
                            Filesize

                            60KB

                            MD5

                            36688869efcc9a99957c41d29e33c769

                            SHA1

                            efc7bf8eea12712417d149a9f7bde7c47425a0bb

                            SHA256

                            5ff9e29681a3a0ffa7fa1988982e699b03205a6fcb512067f53837a7b5c7b9af

                            SHA512

                            903226bbafa9adaa3651a9a7385c0d435b8a75a7acb3fc27f6b44cf2c2420a2f69a05b1894ff7ead0936a3d9482d06dc85fbb25ddb582fb06cac7064d6841171

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            474b4847c828697653b5ee9a24f00c26

                            SHA1

                            d35c7cfec613b0df8e24902b33ade3490572f9d8

                            SHA256

                            1a54ce3a35d2d90cee8805694e4d0e7c4e5f8d0679e273817d34675706c246ab

                            SHA512

                            579db2235f2e6939d37d2fb06175c339a8a0cf3ce221142ba0a2595f6057f529c5dd7731f40477246faa74d83a05b402b4a46970521b3b98baeccdd145e20e2b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js
                            Filesize

                            7KB

                            MD5

                            6ee9c29873cd9437443beeb53a263c20

                            SHA1

                            93514d294af4108535e7ad03603982aee614c8bf

                            SHA256

                            79c69be02948e9de7b048dc19aa0bb984b803ffb099608643b2639dfa1357a96

                            SHA512

                            1ba25225031837dd767f6e615bec28764f5d49a72442fc58acef95df7a1c3f9708daa6e40c66dc82d0c16e021c82cd7e0f88707d820b009387ad5168918936cb

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js
                            Filesize

                            6KB

                            MD5

                            a64683bde01f18cc76e3a4b4087a2001

                            SHA1

                            c7e362a6882df5d7743d1ceb363d55b02e41f910

                            SHA256

                            f89679f99b9b00bf39c397a9fcdb902d8d0aabb4d0b4fee1a15a2375816913dc

                            SHA512

                            5961608b251683ead0062a68570f193d7c7e75f8a853d98655f5d53a4fd625851604224ea76069f3304b03f9f78e6540251b352ef79d567fe1c718fefd731a7b

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            f35e7100f4abfceb1d258dc797917c79

                            SHA1

                            12319f017894e95d98496c1c9423a6cfdc2890b8

                            SHA256

                            6716e07098c90bc73e19161fef6b9e381de583ae9e3fdef553f18e50c44ba08b

                            SHA512

                            d27836f71b7fdc95e9bef624897d26f6cf7ebfd6df135ce80c26ec2e26d4c36ae2c7b0ee91b0d99d4b4127625edba83dfac182c08b79473dc90a8517aef67aa8

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            f12a68678be19a34cce7988fa8b42aa6

                            SHA1

                            d157addac9a60055a400cae085753902d571281d

                            SHA256

                            2f9aa4f917b85f94627577fc57826c54cb1fc43ba2715b7da55c86f515948b0b

                            SHA512

                            f7ef7ec03ebfe4cc5d822391f34e4bba053331ce4b61bc6d6c5308736eaf989a84b10bf3a47ff7860135cfb3fd048d87435bbd6da45a34a203fb9099effd7453

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            4KB

                            MD5

                            d54738166389ee40c6971d6b58cbf94f

                            SHA1

                            13e93c723663986dc629d2890f85a28ec085cdcc

                            SHA256

                            a67b64a8fecb1cd9bd33f8d4edde93eb2a86340f1cfbb666732f53e5a3b867a2

                            SHA512

                            d931b83fb8542b74068fc0c41db0da0d74f5d86a072f265794c00931a7fbb83ede99ddc716bd9f545d982a979efcba258a6ca986d7d4543e01b326804092cdea

                            Download Submit

                          • memory/4744-4-0x0000014D77AF0000-0x0000014D78018000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/4744-0-0x0000014D5CB00000-0x0000014D5CB18000-memory.dmp

                            Filesize

                            96KB

                            Download

                          • memory/4744-123-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4744-3-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4744-2-0x0000014D771B0000-0x0000014D77372000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/4744-1-0x00007FF939B93000-0x00007FF939B95000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4744-165-0x0000014D79060000-0x0000014D7910A000-memory.dmp

                            Filesize

                            680KB

                            Download

                          • memory/4744-166-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/4744-196-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

                            Filesize

                            10.8MB

                            Download