Overview

overview

10

Static

static

10

RobloxCheat.exe

windows10-2004-x64

RobloxCheat.exe

windows7-x64

10

RobloxCheat.exe

windows10-1703-x64

10

RobloxCheat.exe

windows10-2004-x64

RobloxCheat.exe

windows11-21h2-x64

Analysis

  • max time kernel
    246s
  • max time network
    284s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxCheat.exe

  • Size

    61KB

  • MD5

    1173330bc76af605137db64a6377f523

  • SHA1

    09713c6e32cc1304dcb40604a1695d7830ceffe3

  • SHA256

    f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7

  • SHA512

    57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24

  • SSDEEP

    1536:oHdD3qptlFkbr9H8pV2Vi6lMVOElJJuJXc:Kxq3kbrx8pMVeOElJcJM

Score
10/10
xwormbootkitexecutionpersistencepyinstallerrattrojanupx

Malware Config

Extracted

Family

xworm

C2

amount-acceptance.gl.at.ply.gg:7420

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxCheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1516
    • C:\Users\Admin\AppData\Local\Temp\fzgbbw.exe
      "C:\Users\Admin\AppData\Local\Temp\fzgbbw.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Local\Temp\fzgbbw.exe
        "C:\Users\Admin\AppData\Local\Temp\fzgbbw.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:396
    • C:\Users\Admin\AppData\Local\Temp\xgoicu.exe
      "C:\Users\Admin\AppData\Local\Temp\xgoicu.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:528
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AEEE5856-4D1A-411E-A235-436B6CE3F9CE} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\ProgramData\svchost.exe
      C:\ProgramData\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:408
    • C:\ProgramData\svchost.exe
      C:\ProgramData\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
    • C:\ProgramData\svchost.exe
      C:\ProgramData\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\ProgramData\svchost.exe
      C:\ProgramData\svchost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\svchost.exe
    Filesize

    61KB

    MD5

    1173330bc76af605137db64a6377f523

    SHA1

    09713c6e32cc1304dcb40604a1695d7830ceffe3

    SHA256

    f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7

    SHA512

    57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28922\python311.dll
    Filesize

    1.6MB

    MD5

    db09c9bbec6134db1766d369c339a0a1

    SHA1

    c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

    SHA256

    b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

    SHA512

    653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xgoicu.exe
    Filesize

    225KB

    MD5

    af2379cc4d607a45ac44d62135fb7015

    SHA1

    39b6d40906c7f7f080e6befa93324dddadcbd9fa

    SHA256

    26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

    SHA512

    69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    ce6d4c507e1d3db26885d52eb6b4c1d5

    SHA1

    59c6df28530af5b34ab7b3886536e704c96ee3ac

    SHA256

    3938dd0bb7e4144811f51957e17ab1fa28d36d4f655954271380031373bf052e

    SHA512

    15a8d4a5a5af17613ea55a9bf198378667749e5185d4702024e4fd2c7fceb7dc959ecf2e1c4734a76ce673e331b99cbce5b1b756d890fa2aac6ae6498f446840

    Download Submit

  • \Users\Admin\AppData\Local\Temp\fzgbbw.exe
    Filesize

    12.3MB

    MD5

    88b4216901024cb13cdbfde9f7313739

    SHA1

    4e3a8bf8620ef7c02d33a895f35859fc5c299947

    SHA256

    68f2fd65f54c0a4027b60ab8aac12e250003d84979c889b716b55e38820da436

    SHA512

    cde67dbf72c6bacfbafa4898ae09c0bcc3cea8456165036ae746060d6d422cf8a0fec834658c72ae73530cb33abd2b28eeb7a6ed9474cc5dd61e2c15a64a5d1e

    Download Submit

  • memory/396-93-0x000007FEED930000-0x000007FEEDF18000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/408-99-0x0000000000B20000-0x0000000000B36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1728-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1728-32-0x000000001A7A0000-0x000000001A820000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1728-33-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1728-34-0x000000001A7A0000-0x000000001A820000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1728-1-0x0000000000D90000-0x0000000000DA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2432-150-0x0000000000E50000-0x0000000000E66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2572-7-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2572-8-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2572-6-0x0000000002AE0000-0x0000000002B60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2608-14-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2608-15-0x0000000002250000-0x0000000002258000-memory.dmp

    Filesize

    32KB

    Download