47a2e8bbef18d5491be3c449d9a5464a8804d9d1a85bc7e24ff80876e85104a3

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

5.8MB
MD5

b022682dd39d113f2d5a65a172dbd28f
SHA1

aa874df3d3d0a9539c53a8a0c96c4c119bae2c52
SHA256

47a2e8bbef18d5491be3c449d9a5464a8804d9d1a85bc7e24ff80876e85104a3
SHA512

d6746ca7c1e10b1ed7fb48d857210ce5cd0f0542c81fdbf00a6afaf4607f30020ccc09f4c41ef9f50bc2562bf6e4380e7abaef1d5a5b1e91773281bcd9e58525
SSDEEP

98304:6Qv2DFDUtJEjcseLtY1pthFX26elVJ2qg4FMvq821kRlzcV7yMuh:B2BDULEjL//elNg44R+VGMA

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28
PID 1956 wrote to memory of 2556	1956	RobloxPlayerLauncher.exe	28

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks whether UAC is enabled
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=cb5e1ef861e0b94bbfd3c1c166285778889972be --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x424,0x428,0x42c,0x3e8,0x434,0x1f26a74,0x1f26a84,0x1f26a94
  2⤵
  - Enumerates system info in registry
  - Modifies system certificate store
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
d25020a76910c9932e8fa3b267a4d1bd

SHA1
6160cb0182213f258ece9a934346b64a972b9744

SHA256
7b56328c252d2862e97dbe6a0d70e6b98fa41b345fa5bd2b2a32a9986e153b70

SHA512
1e9be9aabf5d76ce6dc4c739632a6e4d50b557da4551853f6d2fea608f6870d25583744ba72e96cbf4d5b4b7ebd5216c20223dbe959f4e6443b8adeb63a40f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
09018b283356d2a4207b9533f19e2a31

SHA1
34a611ea4043e78352e50fbebfc707bf3a1321ad

SHA256
7b737396178f650052961b694d56765a9b6695d51ca2c1bca96a875cf7bddf98

SHA512
3871540f7609a410c54ec5c41e1576997b666db86681a666d3e5c4fb02661306459410fc55c3a5b3d3ded427d565841f23fbc9473a0b05cc65ca7979af029c3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
15a600c0f55c96a9bae105fadbe835ea

SHA1
34070296e6ce476d76a578199a458a7d9efaabbc

SHA256
d1b62fc7fef5784fd576bd947f4bbaf1d38aef0aff367b0e2223bb76660620f7

SHA512
8578c3a42d117505f813f02e4f97ad79610d971d9d896376d640f438221681619fb1dd930e28718169b8d9c880d45ee3af91482a61ca6e2b17db0169fbc4e5fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e396094efe35005120d23070338f6b17

SHA1
8b298cf15c5bf6da3f230f64ba722ed6abcc88e7

SHA256
53a8bd5cc2f4018daaa778de0c2663215649d3f32a37ba7a6d65c2870a4b51b0

SHA512
b426dbb0f8682fb02989be50bb4cd4b6c0debf355a0e13303442c2b235892ab38bfe8f5a71270aa0d986e1d75cc6534b10efc72f916c944bb3f835305c9beb1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc690b8ed458fd248ec3f901d85bb1a0

SHA1
69fb7914dbc95566dd9d5bc3e5b1dade8d5e8381

SHA256
ccab3cf7d51820a74ba3bef73d250dcfba03edaf31498ce56b5f937c2ecf271f

SHA512
b8dbb901ddffb7586cfecf5b55f40e2865754d028c5c72363f5904a7c0953c5bfe71d958e8744db873b2b8653941111fd7d79d48a12a8e4d1427909d913ff1f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418fdec9a4a18649fe0c073274ff3e2f

SHA1
0168324d7f13ba5e93e79ddb5b6e33f44d9a691d

SHA256
addf2a391574a0531c681048bab556134e82424d38e4456f7e32c3b89dd97481

SHA512
249107e949e4688e864de4ee5c8f3d93ca399a0cb79fc2a45c11c6e1bdeffe0ab5c054d366d6e1f32f56eeaa341be36ad59b234f76192ef0bd769c17679be94e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3ccf8d985cba7105cd1e7e9c35cb8997

SHA1
1772319204e70025eb770eb550ba7506c251c048

SHA256
1d15f4780f7fd39fee72898692730bb25f9cf090d72c2c07c5d9fcd07e4e3902

SHA512
7cc198490273716f95df634f39e520bcfa690f06c63f6788e504a4c020ff65bc23b460e62f1f1e9096eb3334c60410a50990486a49cf679d59304c2d86e4cfd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads