Overview

overview

10

Static

static

10

RobloxPlayer.exe

windows7-x64

10

RobloxPlayer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxPlayer.exe

  • Size

    78KB

  • MD5

    8f3d0d4044ff8cc1d847687568c91e14

  • SHA1

    fd9049e0e5c074603b78a2aea228b75e4ce6c099

  • SHA256

    1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0

  • SHA512

    afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score
10/10
discordratevasionpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY

  • server_id

    1201970766531530822

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Disables Task Manager via registry modification
    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4400
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
      PID:2744
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3720
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.0.1902406734\552523358" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8bf3688-8e82-41d4-9e0c-e58126be478a} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 1900 140af30e458 gpu
          3⤵
            PID:1220
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.1.1820346344\1158174598" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfd167ad-0970-4101-a8c0-893bda83ff9a} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 2468 140a2588a58 socket
            3⤵
              PID:4436
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.2.24290476\2020883107" -childID 1 -isForBrowser -prefsHandle 2792 -prefMapHandle 2712 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aef17b4d-e472-47a0-a7e8-11d985b197f2} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3020 140b2205f58 tab
              3⤵
                PID:4204
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.3.969849472\1587648495" -childID 2 -isForBrowser -prefsHandle 3832 -prefMapHandle 3808 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {598d7333-853d-41a0-9f22-60fab064f232} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 3852 140b41cc858 tab
                3⤵
                  PID:4904
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.4.626143306\241861432" -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 5096 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7472ade2-fc24-42f3-9d60-433a7fa1f49d} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5032 140b695e858 tab
                  3⤵
                    PID:5292
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.5.6646015\237147315" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {490df5a7-6a7b-4009-9c7a-ffd7776cb915} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5228 140b695f758 tab
                    3⤵
                      PID:5300
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.6.1938109870\386266570" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {871c06d0-ac6c-4153-b94d-a92e761fb7c0} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5420 140b6961558 tab
                      3⤵
                        PID:5308
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3720.7.554106513\266357780" -childID 6 -isForBrowser -prefsHandle 1652 -prefMapHandle 1636 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d52fbf-234e-4774-906e-7146b7eda3a1} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" 5768 140b5b05058 tab
                        3⤵
                          PID:6040
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0x4c8 0x510
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5736

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      29KB

                      MD5

                      429ee90d372a78b9df0e5a981f76a1ea

                      SHA1

                      47e6a7e0240a4087068724ab830806a4e3929b58

                      SHA256

                      7b50b4b3a9d9b9640ca549acc3fab4ea7a80c038f9e1e9c2534ba67d4504ad48

                      SHA512

                      852ced01282e662067887b3906ea329fcd4d29a71e3a27da9110b96d7455a9a004b181c9f2767a5fb28322893279082e25f0e955acb7b40347bd21952acfad00

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qzr7kws6.default-release\cache2\entries\1BD06364B17F941101FCC95275213BEB65016BDA
                      Filesize

                      60KB

                      MD5

                      b0152ce0ec8a69ad0bb001aed5434d5b

                      SHA1

                      b416669eaf5dad3164bde8b5052f2c57fd519e38

                      SHA256

                      acf5554bd3884d297084b8f8b3e377670e3147ba71b5ba2a1023175860347155

                      SHA512

                      33fed50792ef4104cb8cdaef8738fbdfc0a829cc24e9b47e642a08f16f3fa1df8c705f6609ff8ff9ce9f69ece81e6691d3a1349df2aa482713f8e099a121b2f2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      b9eca33379d3db6c0b93d2649d347e4e

                      SHA1

                      396d6edb9a4423d892a5fa0b0e01fca94cd0c02f

                      SHA256

                      b5dc99b38bb55fefef4e2da8a871d7986af890ebddfa67ac4f6fbfef8a2c2fc6

                      SHA512

                      ad739d454005f45b84a7d70ff29768f505dc111c6782804ecdcf2f64cb0a7e71c58ca4c2a82ec258a388a744c5157a0baf06be1d37bb317ca7a75275ef6f9cb3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      4a6278b5614af516db34de15c87fdf42

                      SHA1

                      737243e7ea33e87be435cafef5dbbd1a7eddba08

                      SHA256

                      c9b73ce39d876ddbe81eb028a6e22cc914ecaa8ef06fe96ad4a19f23c69391e6

                      SHA512

                      a7e1cbc83815f639f13eab30997433f792326af2006f885103fbd422a510cda6a9cef64b40d409585c27559091503437683c0e1e37960c2815bb3c5538c55b6d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      0597436ae297afd864bacce31b905784

                      SHA1

                      72123ab666fbe9e1c50407312020a84caf8958f6

                      SHA256

                      2ffa3c626be3df81004915f833341b4e8480739f0d70ec8a7764dc45a9eea436

                      SHA512

                      7160cd9f8adcf167c33ce5d8ebb6c9c1a83acd8465a79fd27672773297076252a4690ccf57144a786eb8fb5b0b7f2c0a2de4943cb4048389b2d8ed2c9abf701c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      ba88ec472c3d2cbf669dad9b2d74c2cf

                      SHA1

                      4c54a957c672e1a4a2dd2f4e6f995d30f8cc2b54

                      SHA256

                      131b611c058c183c60ac15b45f5d30f3193e5f7918750ff8652f46f6592ad9ab

                      SHA512

                      7f3e94404e45edda429b51919bc327bad8cfb20822a5693eb486678c252326ef2d398a4ac05cbe402a9ade309e6bf3150718a5044070bb4d13767d2ff97163b2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      8b597a9d01a3e404e2a7afa664089b08

                      SHA1

                      16a02abd97c13d1f865f3e6de37d6bb72ebb2ae9

                      SHA256

                      37c2172eea797d43fec2bab9e82ff7040d990bce6c9b6030af9f9f510d24bb89

                      SHA512

                      70dabeb46b64b6c342d60754c7fea681bd3a022c904422b172dc0310c49477185b1ab298d8f8a14007e726f053ef95113be5ae8d23e2ab96742368d19dffa5c8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      4KB

                      MD5

                      812a7af6dc0ab08b28ccabf8e068fe1a

                      SHA1

                      d79fc8ef77f931de644ff4ee40545a960a26db0d

                      SHA256

                      53ef220326a6a8cc4bfbb5d245a6a2abd3174e259b996894295ac0fe9b13453f

                      SHA512

                      85fe7718c10fc5568279b85291d5cddfbde34280eefca5dc958e5fb168cbef0f93f958c5be2adf81fd765c0fa698177569bfb4b72a9e8df0095bb59c970bc82f

                      Download Submit

                    • memory/4400-4-0x000002B2E9C60000-0x000002B2EA188000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/4400-56-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4400-55-0x000002B2EBC10000-0x000002B2EBCBA000-memory.dmp

                      Filesize

                      680KB

                      Download

                    • memory/4400-52-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4400-51-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4400-141-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4400-1-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4400-3-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4400-2-0x000002B2E9460000-0x000002B2E9622000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/4400-0-0x000002B2CED60000-0x000002B2CED78000-memory.dmp

                      Filesize

                      96KB

                      Download