Overview

overview

10

Static

static

10

RobloxPlayer.exe

windows7-x64

10

RobloxPlayer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayer.exe

  • Size

    78KB

  • MD5

    8f3d0d4044ff8cc1d847687568c91e14

  • SHA1

    fd9049e0e5c074603b78a2aea228b75e4ce6c099

  • SHA256

    1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0

  • SHA512

    afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score
10/10
discordratevasionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY

  • server_id

    1201970766531530822

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Disables Task Manager via registry modification
    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5088
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C whoami
      2⤵
        PID:5348
        • C:\Windows\system32\whoami.exe
          whoami
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5396
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.0.1281884394\2085032673" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a64a8ec-946d-4583-98b9-38aa9e47dd8b} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 1884 21c5e415e58 gpu
          3⤵
            PID:3264
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.1.1199134785\176550371" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc540a14-457b-402d-9929-bcf2ba9f273e} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 2452 21c51689c58 socket
            3⤵
              PID:2348
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.2.982014343\746236937" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3bf3d80-928b-4963-968c-f3081c07fa04} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3068 21c6120cd58 tab
              3⤵
                PID:4988
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.3.1604073116\898437497" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede40ddd-8a5d-4575-8cd4-e0976fd2a16a} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 3684 21c5163ee58 tab
                3⤵
                  PID:4728
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.4.929410822\726607294" -childID 3 -isForBrowser -prefsHandle 5144 -prefMapHandle 1484 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe20b9e-932e-4aeb-b6f5-66460fffe531} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5148 21c64fba158 tab
                  3⤵
                    PID:4456
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.5.1304333975\2143469418" -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36d56e5e-d258-4f1e-92fa-8cbcb5262d19} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5288 21c65756d58 tab
                    3⤵
                      PID:3012
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.6.1759278322\705279434" -childID 5 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8cf0290-69aa-474c-99d0-3a4589bcb830} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 5480 21c65757358 tab
                      3⤵
                        PID:4880
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2408.7.507960043\1565659530" -childID 6 -isForBrowser -prefsHandle 4176 -prefMapHandle 4416 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1188 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a779003-e3e5-4e7a-b7aa-37e84ec0eb4e} 2408 "\\.\pipe\gecko-crash-server-pipe.2408" 4204 21c63a67058 tab
                        3⤵
                          PID:428
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /7
                      1⤵
                        PID:5316
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:5244

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nzxw1g49.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          30KB

                          MD5

                          676f6ff585a4b2e50de58399f4a0290b

                          SHA1

                          76e07e574943e09f6e9085756a5c4c9f73ea1a7b

                          SHA256

                          f0ab6f9b13a58bce301853fe67452bae2253c0cb98a7a435fbe2e186cdcf6d54

                          SHA512

                          430b1f54aed5d08116a8ec0315129b6d0f72aef208423d2fd414ac44c32abea68dfa0e37032cfe552ecc970041a8ec6522c291f3dc13c4738a3a2e62fba76f09

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          f60435a457c73b8151fbab362cd13415

                          SHA1

                          6c0b0100a97e16dbafe8777d3fd72872040ad389

                          SHA256

                          ef3ab503ccbb748ea630594a45ec971af65d8a724a4c388eafefa31c82935f2a

                          SHA512

                          f38ac407ba14c67104de1a79c456b978a0f21e673f11e59c9a7bb8cfcbf2b5af1371f3af855fdba796a726c8a318c834cbee4db957aec393e330329ec6c680b8

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          85de7ab771d0a16db3ad71503d5aff06

                          SHA1

                          4bf0b6f7ff6dc37834a09cdee2d0862da3770d1e

                          SHA256

                          7f804e90509fb77d2b5029e27372182acaf6349806e02abbf04cfdfdc42fad17

                          SHA512

                          d00a5a15145d056ee5f42b17dadc0fdb05b818aa084f6b18964612373be1e7087dbee7a0d32b4080eee4630cfedf1eee2280205db4af01c21411c213ff031abd

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          6c6181257cb28296c8864935bdcce9ae

                          SHA1

                          d2c8521ebbe6c713aceca7dd82d98735dc66e455

                          SHA256

                          9fba475d7c8da016a77135f3ee60c10cee4098c0bb0c4f312aa4e66fdc1e5ee6

                          SHA512

                          a1021677bcd6171e595ca2eddccc00e3fd9b3e5864036f9a1a6b83fb0c06809f8383906a134dfe6362eee13ba4436d880f19e247346d99206c8009111c526c2f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          ec1b768e332078b9433ee9126f8dce12

                          SHA1

                          ddeaedf351bbfa3bb0f819ef81a8c858f77b8101

                          SHA256

                          746593a6933d217ada0a208fde952bc322cb436648562d6356f586976d8a205f

                          SHA512

                          7185630541616b768a3f7d994b9fa896ba9028767430c206aadf5276b3f5ce75a63e48073ec6bd2bbf3a623fba822405be82f1e5b90a906b5a853cd3154b6728

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          21e0ef6686ba45ada38dd755c29716a2

                          SHA1

                          92843559735e4979b9bab76f180e37216f8301e3

                          SHA256

                          495d03d4ce2a20a96bb3bc0c95438044a1dceddf731ed024157d11368eb8e090

                          SHA512

                          26fd21b2e7ed6599d0ca43be3d8821022a7cdb6081e97180d226e70e7caf97220b59117b28024a6a8992a30b5a27637a62ffdd111e07d2383b936493a04b33ed

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          ccb3d6c65887112c7ad96fed72f2102e

                          SHA1

                          8ecd532a1f064c9ba38efb0c79902a6428e86967

                          SHA256

                          3ea1208ce3c82f57c12a2b39a787b1c120c28981a57303026d3e282c8ce379c0

                          SHA512

                          2db9d25de42d0310f2635050abc3a5a60cff5acc7c664ab891ad00df988d406b026c26ced3accf63c23295cb677d2797e2360b11768716db584e19b1cd87b978

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          8df4c837d84076ffe8feca8089e30c2e

                          SHA1

                          3b1f94248f745d2af48957f5823d17b86faf7f7e

                          SHA256

                          55dcd5b0aa286d43f0c7dd3571f0e44d28051b433f81bad72836d0c3923b1585

                          SHA512

                          87a76e6f41753baddd0c67d76946ad6f73ee728219b71cdfec6d93c4fbeab4860f27c3f5baef8def00b33309ab9fae63e7dd82a360916cad73636dd90a9ef849

                          Download Submit

                        • memory/5088-3-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5088-70-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/5088-71-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/5088-4-0x000001E1C82F0000-0x000001E1C8818000-memory.dmp

                          Filesize

                          5.2MB

                          Download

                        • memory/5088-0-0x000001E1AD330000-0x000001E1AD348000-memory.dmp

                          Filesize

                          96KB

                          Download

                        • memory/5088-2-0x000001E1C7AB0000-0x000001E1C7C72000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/5088-1-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

                          Filesize

                          8KB

                          Download